TheAnachronism/docspell
1
0
Fork 0
mirror of https://github.com/TheAnachronism/docspell.git synced 2025-03-25 08:45:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

secure nix config

Browse Source 
Stop writing docspell config files to the world-readable nix store,
since they contain sensitive info, e.g. database passwords.

Additionally, provide a `configFile` option so users may point to a file
they've secured using their prefered secret management strategy.
This commit is contained in:
ivanbrennan 2024-07-04 11:10:40 -04:00
parent 9a9aaa5d8e
commit baf5c682b0
No known key found for this signature in database
GPG Key ID: A6F4A6CBBB9CC6A9
2 changed files with 46 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nix/modules/joex.nix
View File

@ -12,11 +12,6 @@ with lib; let
if cfg.runAs == null
then "docspell"
else cfg.runAs;
configFile = pkgs.writeText "docspell-joex.conf" ''
{"docspell": { "joex":
${builtins.toJSON (lib.recursiveUpdate declared_config cfg.extraConfig)}
}}
'';
defaults = {
app-id = "joex1";
base-url = "http://localhost:7878";
@ -330,6 +325,15 @@ in {
example = ["-J-Xmx1G"];
description = "The options passed to the executable for setting jvm arguments.";
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
example = literalExpression ''"''${config.sops.secrets.docspell_joex_config.path}"'';
description = ''
Path to an existing configuration file.
If null, a configuration file will be generated at /etc/docspell-joex.conf
'';
};
app-id = mkOption {
type = types.str;
@ -1763,6 +1767,17 @@ in {
};
users.groups."${user}" = mkIf (cfg.runAs == null) {};
environment.etc."docspell-joex.conf" = mkIf (cfg.configFile == null) {
text = ''
{"docspell": {"joex":
${builtins.toJSON (lib.recursiveUpdate declared_config cfg.extraConfig)}
}}
'';
user = user;
group = user;
mode = "0400";
};
# Setting up a unoconv listener to improve conversion performance
systemd.services.unoconv = let
cmd = "${pkgs.unoconv}/bin/unoconv --listener -v";
@ -1778,6 +1793,9 @@ in {
systemd.services.docspell-joex = let
args = builtins.concatStringsSep " " cfg.jvmArgs;
configFile = if cfg.configFile == null
then "/etc/docspell-joex.conf"
else "${cfg.configFile}";
cmd = "${lib.getExe' cfg.package "docspell-joex"} ${args} -- ${configFile}";
waitTarget =
if cfg.waitForTarget != null

28
nix/modules/server.nix
View File

@ -12,11 +12,6 @@ with lib; let
if cfg.runAs == null
then "docspell"
else cfg.runAs;
configFile = pkgs.writeText "docspell-restserver.conf" ''
{"docspell": {"server":
${builtins.toJSON (lib.recursiveUpdate declared_config cfg.extraConfig)}
}}
'';
defaults = {
app-name = "Docspell";
app-id = "rest1";
@ -167,6 +162,15 @@ in {
example = ["-J-Xmx1G"];
description = "The options passed to the executable for setting jvm arguments.";
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
example = literalExpression ''"''${config.sops.secrets.docspell_restserver_config.path}"'';
description = ''
Path to an existing configuration file.
If null, a configuration file will be generated at /etc/docspell-restserver.conf
'';
};
app-name = mkOption {
type = types.str;
@ -897,8 +901,22 @@ in {
};
users.groups."${user}" = mkIf (cfg.runAs == null) {};
environment.etc."docspell-restserver.conf" = mkIf (cfg.configFile == null) {
text = ''
{"docspell": {"server":
${builtins.toJSON (lib.recursiveUpdate declared_config cfg.extraConfig)}
}}
'';
user = user;
group = user;
mode = "0400";
};
systemd.services.docspell-restserver = let
args = builtins.concatStringsSep " " cfg.jvmArgs;
configFile = if cfg.configFile == null
then "/etc/docspell-restserver.conf"
else "${cfg.configFile}";
cmd = "${lib.getExe' cfg.package "docspell-restserver"} ${args} -- ${configFile}";
in {
description = "Docspell Rest Server";