Skip to content

nixos: add sessionSecretFile option #2012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions IHP/Server.hs
Original file line number Diff line number Diff line change
@@ -110,11 +110,17 @@ initSessionMiddleware FrameworkConfig { sessionCookie } = do
let path = "Config/client_session_key.aes"

hasSessionSecretEnvVar <- EnvVar.hasEnvVar "IHP_SESSION_SECRET"
hasSessionSecretFileEnvVar <- EnvVar.hasEnvVar "IHP_SESSION_SECRET_FILE"
doesConfigDirectoryExist <- Directory.doesDirectoryExist "Config"
store <- clientsessionStore <$>
if hasSessionSecretEnvVar || not doesConfigDirectoryExist
then ClientSession.getKeyEnv "IHP_SESSION_SECRET"
else ClientSession.getKey path
if hasSessionSecretFileEnvVar
then do
path <- EnvVar.env "IHP_SESSION_SECRET_FILE"
ClientSession.getKey path
else
if hasSessionSecretEnvVar || not doesConfigDirectoryExist
then ClientSession.getKeyEnv "IHP_SESSION_SECRET"
else ClientSession.getKey path
let sessionMiddleware :: Middleware = withSession store "SESSION" sessionCookie sessionVaultKey
pure sessionMiddleware

1 change: 1 addition & 0 deletions NixSupport/nixosModules/app.nix
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ in
ihp.nixosModules.services_app
ihp.nixosModules.services_worker
ihp.nixosModules.services_migrate
ihp.nixosModules.services_appKeygen
];

# Pin the nixpkgs to the IHP nixpkgs
15 changes: 15 additions & 0 deletions NixSupport/nixosModules/options.nix
Original file line number Diff line number Diff line change
@@ -68,6 +68,21 @@ with lib;

sessionSecret = mkOption {
type = types.str;
descriptiom = ''
It's recommended to use sessionSecretFile instead
'';
};

sessionSecretFile = mkOption {
type = types.path;
default = "/var/ihp/session.aes";
descriptiom = ''
The session secret is stored here.
If the file doesn't exists, the service will generate a new key automatically.
When the key changes all users need to relogin.
'';
};

additionalEnvVars = mkOption {
27 changes: 27 additions & 0 deletions NixSupport/nixosModules/services/app-keygen.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{ config, pkgs, modulesPath, lib, self, ... }:
let
cfg = config.services.ihp;
openssl = "${pkgs.openssl}/bin/openssl";
base64 = "${pkgs.coreutils}/bin/base64";
in
{
systemd.services.app-keygen = {
description = "App Session Key Generation";
wantedBy = [ "multi-user.target" ];
before = [ "app.service" ];
script = ''
mkdir -p "$(dirname "${cfg.sessionSecretFile}")"
if [ -n "${cfg.sessionSecret or ""}" ]; then
# If sessionSecret is set, decode and write it to the file
echo "${cfg.sessionSecret}" | ${base64} -d > "${cfg.sessionSecretFile}"
elif [ ! -f "${cfg.sessionSecretFile}" ]; then
# If sessionSecret is not set, generate a new secret
${openssl} rand 96 > "${cfg.sessionSecretFile}"
fi
chmod 600 "${cfg.sessionSecretFile}"
'';
serviceConfig.Type = "oneshot";
};
}
4 changes: 2 additions & 2 deletions NixSupport/nixosModules/services/app.nix
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ in
systemd.services.app = {
description = "IHP App";
enable = true;
after = [ "network.target" ];
after = [ "network.target" "app-keygen.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
@@ -22,7 +22,7 @@ in
IHP_BASEURL = cfg.baseUrl;
IHP_REQUEST_LOGGER_IP_ADDR_SOURCE = cfg.requestLoggerIPAddrSource;
DATABASE_URL = cfg.databaseUrl;
IHP_SESSION_SECRET = cfg.sessionSecret;
IHP_SESSION_SECRET_FILE = cfg.sessionSecretFile;
GHCRTS = cfg.rtsFlags;
};
in
4 changes: 2 additions & 2 deletions NixSupport/nixosModules/services/worker.nix
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ in
{
systemd.services.worker = {
enable = true;
after = [ "network.target" ];
after = [ "network.target" "app-keygen.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
@@ -21,7 +21,7 @@ in
IHP_BASEURL = cfg.baseUrl;
IHP_REQUEST_LOGGER_IP_ADDR_SOURCE = cfg.requestLoggerIPAddrSource;
DATABASE_URL = cfg.databaseUrl;
IHP_SESSION_SECRET = cfg.sessionSecret;
IHP_SESSION_SECRET_FILE = cfg.sessionSecretFile;
GHCRTS = cfg.rtsFlags;
};
in
1 change: 1 addition & 0 deletions flake.nix
Original file line number Diff line number Diff line change
@@ -47,6 +47,7 @@
services_worker = ./NixSupport/nixosModules/services/worker.nix;
services_migrate = ./NixSupport/nixosModules/services/migrate.nix;
services_loadSchema = ./NixSupport/nixosModules/services/loadSchema.nix;
services_appKeygen = ./NixSupport/nixosModules/services/app-keygen.nix;
options = ./NixSupport/nixosModules/options.nix;
binaryCache = ./NixSupport/nixosModules/binaryCache.nix;
};