From 10eed48d10d1328621cda42bc2cf25a2fb53b209 Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 15 Jan 2021 12:54:14 +0100 Subject: [PATCH] nixos/gitea: make more secrets persistent (#108676) Added JWT_SECRET and INTERNAL_TOKEN to be persistent, like SECRET_KEY and LFS_JWT_SECRET do. Also renamed some vars belonging to SECRET_KEY and LFS_JWT_SECRET to get a consistent naming scheme over all secrets. --- nixos/modules/services/misc/gitea.nix | 50 ++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 7eb52fef43d5..2735185ec888 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -349,7 +349,7 @@ in { DOMAIN = cfg.domain; STATIC_ROOT_PATH = cfg.staticRootPath; - LFS_JWT_SECRET = "#jwtsecret#"; + LFS_JWT_SECRET = "#lfsjwtsecret#"; ROOT_URL = cfg.rootUrl; } (mkIf cfg.enableUnixSocket { @@ -381,6 +381,7 @@ in security = { SECRET_KEY = "#secretkey#"; + INTERNAL_TOKEN = "#internaltoken#"; INSTALL_LOCK = true; }; @@ -396,6 +397,10 @@ in mailer = mkIf (cfg.mailerPasswordFile != null) { PASSWD = "#mailerpass#"; }; + + oauth2 = { + JWT_SECRET = "#oauth2jwtsecret#"; + }; }; services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) { @@ -455,10 +460,20 @@ in wantedBy = [ "multi-user.target" ]; path = [ gitea pkgs.git ]; + # In older versions the secret naming for JWT was kind of confusing. + # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET + # wasn't persistant at all. + # To fix that, there is now the file oauth2_jwt_secret containing the + # values for JWT_SECRET and the file jwt_secret gets renamed to + # lfs_jwt_secret. + # We have to consider this to stay compatible with older installations. preStart = let runConfig = "${cfg.stateDir}/custom/conf/app.ini"; secretKey = "${cfg.stateDir}/custom/conf/secret_key"; - jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; + oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret"; + oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET + lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET + internalToken = "${cfg.stateDir}/custom/conf/internal_token"; in '' # copy custom configuration and generate a random secret key if needed ${optionalString (cfg.useWizard == false) '' @@ -468,24 +483,41 @@ in ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey} fi - if [ ! -e ${jwtSecret} ]; then - ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret} + # Migrate LFS_JWT_SECRET filename + if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then + mv ${oldLfsJwtSecret} ${lfsJwtSecret} fi - KEY="$(head -n1 ${secretKey})" + if [ ! -e ${oauth2JwtSecret} ]; then + ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret} + fi + + if [ ! -e ${lfsJwtSecret} ]; then + ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret} + fi + + if [ ! -e ${internalToken} ]; then + ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} + fi + + SECRETKEY="$(head -n1 ${secretKey})" DBPASS="$(head -n1 ${cfg.database.passwordFile})" - JWTSECRET="$(head -n1 ${jwtSecret})" + OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" + LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" + INTERNALTOKEN="$(head -n1 ${internalToken})" ${if (cfg.mailerPasswordFile == null) then '' MAILERPASSWORD="#mailerpass#" '' else '' MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" ''} - sed -e "s,#secretkey#,$KEY,g" \ + sed -e "s,#secretkey#,$SECRETKEY,g" \ -e "s,#dbpass#,$DBPASS,g" \ - -e "s,#jwtsecret#,$JWTSECRET,g" \ + -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \ + -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \ + -e "s,#internaltoken#,$INTERNALTOKEN,g" \ -e "s,#mailerpass#,$MAILERPASSWORD,g" \ -i ${runConfig} - chmod 640 ${runConfig} ${secretKey} ${jwtSecret} + chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken} ''} # update all hooks' binary paths