New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openvpn: add option to store credentials #33890
Conversation
@@ -161,6 +166,27 @@ in | |||
''; | |||
}; | |||
|
|||
authUserPass = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be a warning, that using this option, will put user and password world-readable in nix store.
To avoid this a user would have to specify a file path for auth-user-pass
in services.openvpn.servers.<name>.config
instead.
For the latter one, we could also provide an option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting the credentials inside the NixOS configuration would really help in many situations, even with the compromise of a world-readable username/password.
I'm not entirely sure though if we should provide an additional option to configure a custom credentials-file, as this is just a generic OpenVPN option. I guess it would make more sense when, at some point, the OpenVPN configuration can be done with the Nix language entirely. The only reason for this change is, that it is not possible to set the credentials from the NixOS configuration otherwise. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I guess that this use-case is not the only one which could benefit from credentials being stored somewhat safely inside the Nix store. Is there really no option to accomplish that / something planned?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See NixOS/nix#8 and NixOS/rfcs#5
It's not trivial to solve. Therefore we need to live with the status quo.
Thanks! |
Motivation for this change
Many commercial and also a few private OpenVPN Servers don't allow public/private key based authentication but instead require a username/password combination. This change allows these credentials to be set inside the NixOS configuration, enabling to automatically connect to these VPNs.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)I'm currently facing the issue, that the generated credentials file inside the Nix-store is readable by all users. I have not found any way to set permissions with the
pkgs.writeTextFile
functions. Is it possible to protect the credentials-file and if so, how can I accomplish that?