Unverified Commit 7f5e8a01 authored by Sanjin Sehic's avatar Sanjin Sehic
Browse files

nixos/healthchecks: enable _FILE variants for all secrets 

This change enables _FILE variants for all secrets in Healthchecks
configuration so they can be read from a file and not stored in
/nix/store.

In particular, it adds support for these secrets:
DB_PASSWORD, DISCORD_CLIENT_SECRET, EMAIL_HOST_PASSWORD,
LINENOTIFY_CLIENT_SECRET, MATRIX_ACCESS_TOKEN, PD_APP_ID,
PUSHBULLET_CLIENT_SECRET, PUSHOVER_API_TOKEN, S3_SECRET_KEY, SECRET_KEY,
SLACK_CLIENT_SECRET, TELEGRAM_TOKEN, TRELLO_APP_KEY, and TWILIO_AUTH.
parent 4a81613a

nixos/modules/services/web-apps/healthchecks.nix

+10 −11
Original line number Diff line number Diff line
@@ -104,11 +104,16 @@ in 
        See <https://healthchecks.io/docs/self_hosted_configuration/>

        for a full documentation of settings.



        We add two variables to this list inside the packages `local_settings.py.`

        - STATIC_ROOT to set a state directory for dynamically generated static files.

        - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store.

        - EMAIL_HOST_PASSWORD_FILE to read EMAIL_HOST_PASSWORD from a file at runtime and keep it

          out of /nix/store.

        We add additional variables to this list inside the packages `local_settings.py.`

        - `STATIC_ROOT` to set a state directory for dynamically generated static files.

        - `SECRET_KEY_FILE` to read `SECRET_KEY` from a file at runtime and keep it out of

          /nix/store.

        - `_FILE` variants for several values that hold sensitive information in

          [Healthchecks configuration](https://healthchecks.io/docs/self_hosted_configuration/) so

          that they also can be read from a file and kept out of /nix/store. To see which values

          have support for a `_FILE` variant, run:

          - `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'`

          - or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled.

      '';

      type = types.submodule (settings: {

        freeformType = types.attrsOf types.str;
@@ -165,12 +170,6 @@ in 
            '';

            description = lib.mdDoc "Database name.";

          };



          EMAIL_HOST_PASSWORD_FILE = mkOption {

            type = types.str;

            default = "";

            description = lib.mdDoc "Path to a file containing the email password.";

          };

        };

      });

    };

pkgs/servers/web-apps/healthchecks/default.nix

+25 −9
Original line number Diff line number Diff line
@@ -39,20 +39,36 @@ py.pkgs.buildPythonApplication rec { 
    whitenoise

  ];



  secrets = [

    "DB_PASSWORD"

    "DISCORD_CLIENT_SECRET"

    "EMAIL_HOST_PASSWORD"

    "LINENOTIFY_CLIENT_SECRET"

    "MATRIX_ACCESS_TOKEN"

    "PD_APP_ID"

    "PUSHBULLET_CLIENT_SECRET"

    "PUSHOVER_API_TOKEN"

    "S3_SECRET_KEY"

    "SECRET_KEY"

    "SLACK_CLIENT_SECRET"

    "TELEGRAM_TOKEN"

    "TRELLO_APP_KEY"

    "TWILIO_AUTH"

  ];



  localSettings = writeText "local_settings.py" ''

    import os



    STATIC_ROOT = os.getenv("STATIC_ROOT")



    SECRET_KEY_FILE = os.getenv("SECRET_KEY_FILE")

    if SECRET_KEY_FILE:

        with open(SECRET_KEY_FILE, "r") as file:

            SECRET_KEY = file.readline()



    EMAIL_HOST_PASSWORD_FILE = os.getenv("EMAIL_HOST_PASSWORD_FILE")

    if EMAIL_HOST_PASSWORD_FILE:

        with open(EMAIL_HOST_PASSWORD_FILE, "r") as file:

            EMAIL_HOST_PASSWORD = file.readline()

    ${lib.concatLines (map

      (secret: ''

        ${secret}_FILE = os.getenv("${secret}_FILE")

        if ${secret}_FILE:

            with open(${secret}_FILE, "r") as file:

                ${secret} = file.readline()

      '')

      secrets)}

  '';



  installPhase = ''