mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-29 23:52:55 +00:00
nixos/healthchecks: enable _FILE variants for all secrets
This change enables _FILE variants for all secrets in Healthchecks configuration so they can be read from a file and not stored in /nix/store. In particular, it adds support for these secrets: DB_PASSWORD, DISCORD_CLIENT_SECRET, EMAIL_HOST_PASSWORD, LINENOTIFY_CLIENT_SECRET, MATRIX_ACCESS_TOKEN, PD_APP_ID, PUSHBULLET_CLIENT_SECRET, PUSHOVER_API_TOKEN, S3_SECRET_KEY, SECRET_KEY, SLACK_CLIENT_SECRET, TELEGRAM_TOKEN, TRELLO_APP_KEY, and TWILIO_AUTH.
This commit is contained in:
parent
4a81613aa6
commit
7f5e8a0113
@ -104,11 +104,16 @@ in
|
||||
See <https://healthchecks.io/docs/self_hosted_configuration/>
|
||||
for a full documentation of settings.
|
||||
|
||||
We add two variables to this list inside the packages `local_settings.py.`
|
||||
- STATIC_ROOT to set a state directory for dynamically generated static files.
|
||||
- SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store.
|
||||
- EMAIL_HOST_PASSWORD_FILE to read EMAIL_HOST_PASSWORD from a file at runtime and keep it
|
||||
out of /nix/store.
|
||||
We add additional variables to this list inside the packages `local_settings.py.`
|
||||
- `STATIC_ROOT` to set a state directory for dynamically generated static files.
|
||||
- `SECRET_KEY_FILE` to read `SECRET_KEY` from a file at runtime and keep it out of
|
||||
/nix/store.
|
||||
- `_FILE` variants for several values that hold sensitive information in
|
||||
[Healthchecks configuration](https://healthchecks.io/docs/self_hosted_configuration/) so
|
||||
that they also can be read from a file and kept out of /nix/store. To see which values
|
||||
have support for a `_FILE` variant, run:
|
||||
- `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'`
|
||||
- or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled.
|
||||
'';
|
||||
type = types.submodule (settings: {
|
||||
freeformType = types.attrsOf types.str;
|
||||
@ -165,12 +170,6 @@ in
|
||||
'';
|
||||
description = lib.mdDoc "Database name.";
|
||||
};
|
||||
|
||||
EMAIL_HOST_PASSWORD_FILE = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = lib.mdDoc "Path to a file containing the email password.";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
@ -39,20 +39,36 @@ py.pkgs.buildPythonApplication rec {
|
||||
whitenoise
|
||||
];
|
||||
|
||||
secrets = [
|
||||
"DB_PASSWORD"
|
||||
"DISCORD_CLIENT_SECRET"
|
||||
"EMAIL_HOST_PASSWORD"
|
||||
"LINENOTIFY_CLIENT_SECRET"
|
||||
"MATRIX_ACCESS_TOKEN"
|
||||
"PD_APP_ID"
|
||||
"PUSHBULLET_CLIENT_SECRET"
|
||||
"PUSHOVER_API_TOKEN"
|
||||
"S3_SECRET_KEY"
|
||||
"SECRET_KEY"
|
||||
"SLACK_CLIENT_SECRET"
|
||||
"TELEGRAM_TOKEN"
|
||||
"TRELLO_APP_KEY"
|
||||
"TWILIO_AUTH"
|
||||
];
|
||||
|
||||
localSettings = writeText "local_settings.py" ''
|
||||
import os
|
||||
|
||||
STATIC_ROOT = os.getenv("STATIC_ROOT")
|
||||
|
||||
SECRET_KEY_FILE = os.getenv("SECRET_KEY_FILE")
|
||||
if SECRET_KEY_FILE:
|
||||
with open(SECRET_KEY_FILE, "r") as file:
|
||||
SECRET_KEY = file.readline()
|
||||
|
||||
EMAIL_HOST_PASSWORD_FILE = os.getenv("EMAIL_HOST_PASSWORD_FILE")
|
||||
if EMAIL_HOST_PASSWORD_FILE:
|
||||
with open(EMAIL_HOST_PASSWORD_FILE, "r") as file:
|
||||
EMAIL_HOST_PASSWORD = file.readline()
|
||||
${lib.concatLines (map
|
||||
(secret: ''
|
||||
${secret}_FILE = os.getenv("${secret}_FILE")
|
||||
if ${secret}_FILE:
|
||||
with open(${secret}_FILE, "r") as file:
|
||||
${secret} = file.readline()
|
||||
'')
|
||||
secrets)}
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
|
Loading…
Reference in New Issue
Block a user