Skip to content

Commit

Permalink
nixos: add sessionSecretFile option
Browse files Browse the repository at this point in the history
Closes #1985
  • Loading branch information
mpscholten committed Nov 12, 2024
1 parent 31cb479 commit c0767f7
Show file tree
Hide file tree
Showing 7 changed files with 57 additions and 7 deletions.
12 changes: 9 additions & 3 deletions IHP/Server.hs
Original file line number Diff line number Diff line change
Expand Up @@ -110,11 +110,17 @@ initSessionMiddleware FrameworkConfig { sessionCookie } = do
let path = "Config/client_session_key.aes"

hasSessionSecretEnvVar <- EnvVar.hasEnvVar "IHP_SESSION_SECRET"
hasSessionSecretFileEnvVar <- EnvVar.hasEnvVar "IHP_SESSION_SECRET_FILE"
doesConfigDirectoryExist <- Directory.doesDirectoryExist "Config"
store <- clientsessionStore <$>
if hasSessionSecretEnvVar || not doesConfigDirectoryExist
then ClientSession.getKeyEnv "IHP_SESSION_SECRET"
else ClientSession.getKey path
if hasSessionSecretFileEnvVar
then do
path <- EnvVar.env "IHP_SESSION_SECRET_FILE"
ClientSession.getKey path
else
if hasSessionSecretEnvVar || not doesConfigDirectoryExist
then ClientSession.getKeyEnv "IHP_SESSION_SECRET"
else ClientSession.getKey path
let sessionMiddleware :: Middleware = withSession store "SESSION" sessionCookie sessionVaultKey
pure sessionMiddleware

Expand Down
1 change: 1 addition & 0 deletions NixSupport/nixosModules/app.nix
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ in
ihp.nixosModules.services_app
ihp.nixosModules.services_worker
ihp.nixosModules.services_migrate
ihp.nixosModules.services_appKeygen
];

# Pin the nixpkgs to the IHP nixpkgs
Expand Down
15 changes: 15 additions & 0 deletions NixSupport/nixosModules/options.nix
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,21 @@ with lib;

sessionSecret = mkOption {
type = types.str;
descriptiom = ''
It's recommended to use sessionSecretFile instead
'';
};

sessionSecretFile = mkOption {
type = types.path;
default = "/var/ihp/session.aes";
descriptiom = ''
The session secret is stored here.
If the file doesn't exists, the service will generate a new key automatically.
When the key changes all users need to relogin.
'';
};

additionalEnvVars = mkOption {
Expand Down
27 changes: 27 additions & 0 deletions NixSupport/nixosModules/services/app-keygen.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{ config, pkgs, modulesPath, lib, self, ... }:
let
cfg = config.services.ihp;
openssl = "${pkgs.openssl}/bin/openssl";
base64 = "${pkgs.coreutils}/bin/base64";
in
{
systemd.services.app-keygen = {
description = "App Session Key Generation";
wantedBy = [ "multi-user.target" ];
before = [ "app.service" ];
script = ''
mkdir -p "$(dirname "${cfg.sessionSecretFile}")"
if [ -n "${cfg.sessionSecret or ""}" ]; then
# If sessionSecret is set, decode and write it to the file
echo "${cfg.sessionSecret}" | ${base64} -d > "${cfg.sessionSecretFile}"
elif [ ! -f "${cfg.sessionSecretFile}" ]; then
# If sessionSecret is not set, generate a new secret
${openssl} rand 96 > "${cfg.sessionSecretFile}"
fi
chmod 600 "${cfg.sessionSecretFile}"
'';
serviceConfig.Type = "oneshot";
};
}
4 changes: 2 additions & 2 deletions NixSupport/nixosModules/services/app.nix
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ in
systemd.services.app = {
description = "IHP App";
enable = true;
after = [ "network.target" ];
after = [ "network.target" "app-keygen.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
Expand All @@ -22,7 +22,7 @@ in
IHP_BASEURL = cfg.baseUrl;
IHP_REQUEST_LOGGER_IP_ADDR_SOURCE = cfg.requestLoggerIPAddrSource;
DATABASE_URL = cfg.databaseUrl;
IHP_SESSION_SECRET = cfg.sessionSecret;
IHP_SESSION_SECRET_FILE = cfg.sessionSecretFile;
GHCRTS = cfg.rtsFlags;
};
in
Expand Down
4 changes: 2 additions & 2 deletions NixSupport/nixosModules/services/worker.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ in
{
systemd.services.worker = {
enable = true;
after = [ "network.target" ];
after = [ "network.target" "app-keygen.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
Expand All @@ -21,7 +21,7 @@ in
IHP_BASEURL = cfg.baseUrl;
IHP_REQUEST_LOGGER_IP_ADDR_SOURCE = cfg.requestLoggerIPAddrSource;
DATABASE_URL = cfg.databaseUrl;
IHP_SESSION_SECRET = cfg.sessionSecret;
IHP_SESSION_SECRET_FILE = cfg.sessionSecretFile;
GHCRTS = cfg.rtsFlags;
};
in
Expand Down
1 change: 1 addition & 0 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
services_worker = ./NixSupport/nixosModules/services/worker.nix;
services_migrate = ./NixSupport/nixosModules/services/migrate.nix;
services_loadSchema = ./NixSupport/nixosModules/services/loadSchema.nix;
services_appKeygen = ./NixSupport/nixosModules/services/app-keygen.nix;
options = ./NixSupport/nixosModules/options.nix;
binaryCache = ./NixSupport/nixosModules/binaryCache.nix;
};
Expand Down

0 comments on commit c0767f7

Please sign in to comment.