Merge pull request #276306 from ambroisie/aria2-rpc-secret-file

nixos/aria2: implement 'rpcSecretFile'
2024-11-26 17:03:01 +00:00 · 2024-01-27 00:46:56 +01:00 · 2024-01-27 00:46:56 +01:00 · 117fd19a77
commit 117fd19a77
parent ae78df7a69 3092020c0c
2 changed files with 17 additions and 5 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -85,6 +85,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details.

+- `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`.
+  This was done so that secrets aren't stored in the world-readable nix store.
+  To migrate, you will have create a file with the same exact string, and change
+  your module options to point to that file. For example, `services.aria2.rpcSecret =
+  "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
+  where the file `secret_file` contains the string `mysecret`.
+
 - Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)

 - `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`.
--- a/nixos/modules/services/networking/aria2.nix
+++ b/nixos/modules/services/networking/aria2.nix
@ -18,11 +18,14 @@ let
    dir=${cfg.downloadDir}
    listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)}
    rpc-listen-port=${toString cfg.rpcListenPort}
-    rpc-secret=${cfg.rpcSecret}
  '';

 in
 {
+  imports = [
+    (mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead")
+  ];
+
  options = {
    services.aria2 = {
      enable = mkOption {
@ -65,11 +68,11 @@ in
        default = 6800;
        description = lib.mdDoc "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535";
      };
-      rpcSecret = mkOption {
-        type = types.str;
-        default = "aria2rpc";
+      rpcSecretFile = mkOption {
+        type = types.path;
+        example = "/run/secrets/aria2-rpc-token.txt";
        description = lib.mdDoc ''
-          Set RPC secret authorization token.
+          A file containing the RPC secret authorization token.
          Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.
        '';
      };
@ -117,6 +120,7 @@ in
          touch "${sessionFile}"
        fi
        cp -f "${settingsFile}" "${settingsDir}/aria2.conf"
+        echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${settingsDir}/aria2.conf"
      '';

      serviceConfig = {
@ -125,6 +129,7 @@ in
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        User = "aria2";
        Group = "aria2";
+        LoadCredential="rpcSecretFile:${cfg.rpcSecretFile}";
      };
    };
  };