New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passopolis password manager service #25907
Conversation
5920ef4
to
251a555
Compare
|
||
db_url = mkOption { | ||
default = "jdbc:postgresql://localhost:5432/passopolis"; | ||
description = "Database URL"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would not
type = types.str;
be applicable here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
nixos/modules/misc/ids.nix
Outdated
@@ -294,6 +294,7 @@ | |||
jackett = 276; | |||
aria2 = 277; | |||
clickhouse = 278; | |||
passopolis = 279; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As it seems to not to persist data to disk, it does not require a fixed uid. If that's the case, just remove this line. The uid will be then allocated dynamically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
}; | ||
|
||
db_url = mkOption { | ||
default = "jdbc:postgresql://localhost:5432/passopolis"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this url contains database passwords, it would be better if the url can be also stored outside of nix store in a file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I can tell, the app doesn't support authenticated database url's at this time. I'm not a java programmer, so I could be wrong. Where would you persist the credentials if it could potentially contain user/password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to that url https://www.petefreitag.com/articles/jdbc_urls/ the underlying library can.
I would then look similar to this example: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gogs.nix#L116
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only way according the the team developing it to set that db_url is as a runtime parameter (there's no app.properties or anything yet to store parameters), so if someone launches the app and has credentials in the db_url, anyone on the system can run a ps and see those credentials. Once a config system is added for the application, I completely agree that keeping the credentials out of the nix store is the better way to go or better yet encrypting in the store if RFC 0005 gets implemented.
meta = { | ||
homepage = "https://github.com/WeAreWizards/passopolis-server"; | ||
description = "A well-designed, well-functioning and secure secret manager."; | ||
license = stdenv.lib.licenses.gpl3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to maintain this package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I would. Should I squash the commit and force push so it's only one commit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can squash that too when merging. Can you add yourself as maintainer then? https://github.com/nixos-users/wiki/wiki/Get-Involved#becoming-a-nixpkgs-maintainer
pkgs/servers/passopolis/default.nix
Outdated
url = "https://github.com/WeAreWizards/passopolis-server"; | ||
sha256 = "0ywmymbjcfsxv1p1j0l0lw9cb7f79h23ic1c4b5w5nb0k9f4zvfq"; | ||
rev = "${version}"; | ||
leaveDotGit = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will the build fail, if it cannot use git to obtain its commit? Leaving .git can lead to not-reproducible artifacts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It won't fail, but it will put garbage in the build.properties file. When running the ant jar command, it generates a build.properties file with the build time, git commit and description.
pkgs/servers/passopolis/default.nix
Outdated
let | ||
version = "b827b3a6176e050deb729009676fad7e86e5393a"; | ||
in antBuild { | ||
name = "passopolis-${version}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually use passopolis-unstable-<year>-<month>-<day>
here as it is more meaningful then a commit hash (where the date is the date of the commit).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
133c9a5
to
8b65875
Compare
|
||
services.passopolis = { | ||
|
||
enable = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use mkEnableOption
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
{ stdenv, antBuild, fetchgit, git, python }: | ||
|
||
let | ||
version = "unstable-2016-05-07"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove unstable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have suggested to add ùnstable
because of https://nixos.org/nixpkgs/manual/#sec-package-naming
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have a better idea how things should be named, please also update the coding conventions. Otherwise it gets inconsistent across reviews.
444f50c
to
24d6871
Compare
config.services.postgresql.package | ||
]; | ||
preStart = '' | ||
mkdir -p ${cfg.statePath} | ||
chown ${cfg.user} ${cfg.statePath} | ||
if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then | ||
${lib.optionalString cfg.enablePostgreSQLDatabase '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this makes the intention of the user a little bit more explicit and convenient.
It still requires a database password with the default settings:
This has to be provided in the database url: https://jdbc.postgresql.org/documentation/80/connect.html |
(does require a password)
I'm going to close this out. Hasn't been updated in 2 years. extension no longer builds for me as well. Going to start making the switch to keepassweb |
Motivation for this change
Adds passopolis password manager service
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)