Zammad: more fixes

2022-02-16 00:49:51 -05:00
parent aac7f85483
commit 75fe105a3d
3 changed files with 41 additions and 15 deletions
--- a/nixos/modules/services/development/zammad.nix
+++ b/nixos/modules/services/development/zammad.nix
@@ -5,6 +5,7 @@ with lib;
 let
  cfg = config.services.zammad;
  settingsFormat = pkgs.formats.yaml { };
+  filterNull = filterAttrs (_: v: v != null);
  serviceConfig = {
    Type = "simple";
    Restart = "always";
@@ -14,8 +15,6 @@ let
    PrivateTmp = true;
    StateDirectory = "zammad";
    WorkingDirectory = cfg.dataDir;
-
-    EnvironmentFile = cfg.secretsFile;
  };
  environment = {
    RAILS_ENV = "production";
@@ -139,26 +138,36 @@ in {
        };
      };

-      secretsFile = mkOption {
+      secretKeyBaseFile = mkOption {
        type = types.nullOr types.path;
        default = null;
+        example = "/run/keys/secret_key_base";
        description = ''
-          Path of a file containing secrets the format of EnvironmentFile as
-          described by systemd.exec(5). You must to define:
-            - PGPASSWORD
-            - SECRET_KEY_BASE
-          SECRET_KEY_BASE can be generated using:
-            ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"
+          The path to a file containing the
+          <literal>secret_key_base</literal> secret.
+
+          Zammad uses <literal>secret_key_base</literal> to encrypt
+          the cookie store, which contains session data, and to digest
+          user auth tokens.
+
+          Needs to be a 64 byte long string of hexadecimal
+          characters. You can generate one by running
+
+          <screen>
+          <prompt>$ </prompt>openssl rand -hex 64 >/path/to/secret_key_base_file
+          </screen>
+
+          This should be a string, not a nix path, since nix paths are
+          copied into the world-readable nix store.
        '';
      };
    };
-
  };

  config = mkIf cfg.enable {

    services.zammad.database.settings = {
-      production = (mapAttrs (_: v: mkDefault v) {
+      production = mapAttrs (_: v: mkDefault v) (filterNull {
        adapter = {
          PostgreSQL = "postgresql";
          MySQL = "mysql2";
@@ -169,7 +178,7 @@ in {
        encoding = "utf8";
        username = cfg.database.user;
        host = cfg.database.host;
-        port = lib.mkIf (cfg.database.port != null) cfg.database.port
+        port = cfg.database.port;
      });
    };

@@ -242,6 +251,20 @@ in {
        chmod -R u+w .
        # config file
        cp ${databaseConfig} ./config/database.yml
+        chmod -R u+w .
+        ${optionalString (cfg.database.passwordFile != null) ''
+        {
+          echo -n "  password: "
+          cat ${cfg.database.passwordFile}
+        } >> ./config/database.yml
+        ''}
+        ${optionalString (cfg.secretKeyBaseFile != null) ''
+        {
+          echo "production: "
+          echo -n "  secret_key_base: "
+          cat ${cfg.secretKeyBaseFile}
+        } > ./config/secrets.yml
+        ''}
        if [ `${config.services.postgresql.package}/bin/psql \
                  --host ${cfg.database.host} \
                  ${optionalString