nixos/healthchecks: enable _FILE variants for all secrets

This change enables _FILE variants for all secrets in Healthchecks configuration so they can be read from a file and not stored in /nix/store. In particular, it adds support for these secrets: DB_PASSWORD, DISCORD_CLIENT_SECRET, EMAIL_HOST_PASSWORD, LINENOTIFY_CLIENT_SECRET, MATRIX_ACCESS_TOKEN, PD_APP_ID, PUSHBULLET_CLIENT_SECRET, PUSHOVER_API_TOKEN, S3_SECRET_KEY, SECRET_KEY, SLACK_CLIENT_SECRET, TELEGRAM_TOKEN, TRELLO_APP_KEY, and TWILIO_AUTH.
2024-09-29 23:52:55 +00:00 · 2023-08-25 21:46:07 +01:00 · 2023-08-25 21:46:07 +01:00 · 7f5e8a0113
commit 7f5e8a0113
parent 4a81613aa6
2 changed files with 35 additions and 20 deletions
--- a/nixos/modules/services/web-apps/healthchecks.nix
+++ b/nixos/modules/services/web-apps/healthchecks.nix
@ -104,11 +104,16 @@ in
        See <https://healthchecks.io/docs/self_hosted_configuration/>
        for a full documentation of settings.

-        We add two variables to this list inside the packages `local_settings.py.`
-        - STATIC_ROOT to set a state directory for dynamically generated static files.
-        - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store.
-        - EMAIL_HOST_PASSWORD_FILE to read EMAIL_HOST_PASSWORD from a file at runtime and keep it
-          out of /nix/store.
+        We add additional variables to this list inside the packages `local_settings.py.`
+        - `STATIC_ROOT` to set a state directory for dynamically generated static files.
+        - `SECRET_KEY_FILE` to read `SECRET_KEY` from a file at runtime and keep it out of
+          /nix/store.
+        - `_FILE` variants for several values that hold sensitive information in
+          [Healthchecks configuration](https://healthchecks.io/docs/self_hosted_configuration/) so
+          that they also can be read from a file and kept out of /nix/store. To see which values
+          have support for a `_FILE` variant, run:
+          - `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'`
+          - or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled.
      '';
      type = types.submodule (settings: {
        freeformType = types.attrsOf types.str;
@ -165,12 +170,6 @@ in
            '';
            description = lib.mdDoc "Database name.";
          };
-
-          EMAIL_HOST_PASSWORD_FILE = mkOption {
-            type = types.str;
-            default = "";
-            description = lib.mdDoc "Path to a file containing the email password.";
-          };
        };
      });
    };
--- a/pkgs/servers/web-apps/healthchecks/default.nix
+++ b/pkgs/servers/web-apps/healthchecks/default.nix
@ -39,20 +39,36 @@ py.pkgs.buildPythonApplication rec {
    whitenoise
  ];

+  secrets = [
+    "DB_PASSWORD"
+    "DISCORD_CLIENT_SECRET"
+    "EMAIL_HOST_PASSWORD"
+    "LINENOTIFY_CLIENT_SECRET"
+    "MATRIX_ACCESS_TOKEN"
+    "PD_APP_ID"
+    "PUSHBULLET_CLIENT_SECRET"
+    "PUSHOVER_API_TOKEN"
+    "S3_SECRET_KEY"
+    "SECRET_KEY"
+    "SLACK_CLIENT_SECRET"
+    "TELEGRAM_TOKEN"
+    "TRELLO_APP_KEY"
+    "TWILIO_AUTH"
+  ];
+
  localSettings = writeText "local_settings.py" ''
    import os

    STATIC_ROOT = os.getenv("STATIC_ROOT")

-    SECRET_KEY_FILE = os.getenv("SECRET_KEY_FILE")
-    if SECRET_KEY_FILE:
-        with open(SECRET_KEY_FILE, "r") as file:
-            SECRET_KEY = file.readline()
-
-    EMAIL_HOST_PASSWORD_FILE = os.getenv("EMAIL_HOST_PASSWORD_FILE")
-    if EMAIL_HOST_PASSWORD_FILE:
-        with open(EMAIL_HOST_PASSWORD_FILE, "r") as file:
-            EMAIL_HOST_PASSWORD = file.readline()
+    ${lib.concatLines (map
+      (secret: ''
+        ${secret}_FILE = os.getenv("${secret}_FILE")
+        if ${secret}_FILE:
+            with open(${secret}_FILE, "r") as file:
+                ${secret} = file.readline()
+      '')
+      secrets)}
  '';

  installPhase = ''