Merge pull request #99934 from mayflower/murmur-env

nixos/murmur: add option `environmentFile` for injecting secrets
This commit is contained in:
Linus Heckemann 2020-10-07 13:56:32 +02:00 committed by GitHub
commit 8e2796d64a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 10 deletions

View File

@ -241,6 +241,34 @@ in
default = "";
description = "Extra configuration to put into murmur.ini.";
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/murmur/murmurd.env";
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of murmur-related config
services.murmur.password = "$MURMURD_PASSWORD";
</programlisting>
<programlisting>
# content of the environment file
MURMURD_PASSWORD=verysecretpassword
</programlisting>
Note that this file needs to be available on the host on which
<literal>murmur</literal> is running.
'';
};
};
};
@ -256,14 +284,22 @@ in
description = "Murmur Chat Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target "];
preStart = ''
${pkgs.envsubst}/bin/envsubst \
-o /run/murmur/murmurd.ini \
-i ${configFile}
'';
serviceConfig = {
# murmurd doesn't fork when logging to the console.
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
RuntimeDirectory = mkIf forking "murmur";
User = "murmur";
ExecStart = "${pkgs.murmur}/bin/murmurd -ini ${configFile}";
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = "${pkgs.murmur}/bin/murmurd -ini /run/murmur/murmurd.ini";
Restart = "always";
RuntimeDirectory = "murmur";
RuntimeDirectoryMode = "0700";
User = "murmur";
};
};
};

View File

@ -5,6 +5,12 @@ let
imports = [ ./common/x11.nix ];
environment.systemPackages = [ pkgs.mumble ];
};
# outside of tests, this file should obviously not come from the nix store
envFile = pkgs.writeText "nixos-test-mumble-murmurd.env" ''
MURMURD_PASSWORD=testpassword
'';
in
{
name = "mumble";
@ -14,8 +20,10 @@ in
nodes = {
server = { config, ... }: {
services.murmur.enable = true;
services.murmur.enable = true;
services.murmur.registerName = "NixOS tests";
services.murmur.password = "$MURMURD_PASSWORD";
services.murmur.environmentFile = envFile;
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
};
@ -30,8 +38,8 @@ in
client1.wait_for_x()
client2.wait_for_x()
client1.execute("mumble mumble://client1\@server/test &")
client2.execute("mumble mumble://client2\@server/test &")
client1.execute("mumble mumble://client1:testpassword\@server/test &")
client2.execute("mumble mumble://client2:testpassword\@server/test &")
# cancel client audio configuration
client1.wait_for_window(r"Audio Tuning Wizard")
@ -63,8 +71,12 @@ in
client2.send_chars("y")
# Find clients in logs
server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client1")
server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client2")
server.wait_until_succeeds(
"journalctl -eu murmur -o cat | grep -q 'client1.\+Authenticated'"
)
server.wait_until_succeeds(
"journalctl -eu murmur -o cat | grep -q 'client2.\+Authenticated'"
)
server.sleep(5) # wait to get screenshot
client1.screenshot("screen1")