nixos/onlyoffice: require a user supplied nonce (#462100)

2025-11-16 11:36:39 +00:00
parent 216089cd89 5c2683eb21
commit 8e74d05e3d
1 changed files with 7 additions and 20 deletions
--- a/nixos/modules/services/web-apps/onlyoffice.nix
+++ b/nixos/modules/services/web-apps/onlyoffice.nix
@@ -7,10 +7,6 @@

 let
  cfg = config.services.onlyoffice;
-  defaultNginxNonceFileContent = "set $secure_link_secret \"mynonce\";";
-  defaultNginxNonceFile = pkgs.writeText "onlyoffice-nonce-nginx.conf" ''
-    ${defaultNginxNonceFileContent}
-  '';
 in
 {
  options.services.onlyoffice = {
@@ -26,17 +22,14 @@ in

    securityNonceFile = lib.mkOption {
      type = lib.types.str;
-      default = "${defaultNginxNonceFile}";
-      defaultText = lib.literalExpression ''
-        (pkgs.writeText "onlyoffice-nonce-nginx.conf" \'\'
-          ${defaultNginxNonceFileContent}
-        \'\').outPath;
-      '';
+      example = "/run/keys/onlyoffice-nginx-nonce.conf";
      description = ''
-        Path to a file that contains a secret to sign web requests.
-        This file should set a 'secure_link_secret' nginx variable,
-        and ideally be managed by a
-        [secret managing scheme](https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes).
+        File holding nginx configuration that sets the nonce used to create secret links.
+
+        Example:
+        ```
+        set $secure_link_secret "changeme";
+        ```
      '';
    };

@@ -103,12 +96,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    warnings = [
-      (lib.optionalString (cfg.securityNonceFile == "${defaultNginxNonceFile}") ''
-        Please set `options.services.onlyoffice.securityNonceFile`
-        to avoid an (albeit unlikely) information disclosure issue.
-      '')
-    ];
    services = {
      nginx = {
        enable = lib.mkDefault true;