tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #51 from Ma27/path-type

Browse source 
module: prohibit store-paths for environmentFile
This commit is contained in:
Maximilian Bosch 2025-04-28 16:50:30 +02:00 committed by GitHub
commit 618330bee6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 28 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

11
module.nix
View file

@ -44,6 +44,11 @@ let
;
settingsFormat = pkgs.formats.yaml { };
pathToSecret = types.pathWith {
inStore = false;
absolute = true;
};
in
{
options.services = {
@ -81,7 +86,7 @@ in
};
environmentFile = mkOption {
type = types.nullOr types.path;
type = types.nullOr pathToSecret;
default = null;
example = "/run/secrets/authentik/authentik-env";
description = ''
@ -105,7 +110,7 @@ in
enable = mkEnableOption "authentik LDAP outpost";
environmentFile = mkOption {
type = types.nullOr types.path;
type = types.nullOr pathToSecret;
default = null;
example = "/run/secrets/authentik-ldap/authentik-ldap-env";
description = ''
@ -128,7 +133,7 @@ in
enable = mkEnableOption "authentik RADIUS outpost";
environmentFile = mkOption {
type = types.nullOr types.path;
type = types.nullOr pathToSecret;
default = null;
example = "/run/secrets/authentik-radius/authentik-radius-env";
description = ''

17
tests/minimal-vmtest.nix
View file

@ -3,12 +3,6 @@
authentik-version,
nixosModules,
}:
let
# use a root-owned EnvironmentFile in production instead (services.authentik.environmentFile)
authentik-env = pkgs.writeText "authentik-test-secret-env" ''
AUTHENTIK_SECRET_KEY=thissecretwillbeinthenixstore
'';
in
pkgs.nixosTest {
name = "authentik";
nodes = {
@ -23,9 +17,18 @@ pkgs.nixosTest {
"${pkgs.path}/nixos/tests/common/x11.nix"
];
# Keep in mind that the secret still ends up in the store and is world-readable because the
# systemd-tmpfiles config lands in the store.
# This is just a trick to not pass a store-path (which is prohibited) to `environmentFile`
# without having to integrate secret managers like agenix or sops-nix into the test.
# Don't do this in production.
systemd.tmpfiles.rules = [
"f /etc/authentik.env 0700 root root - AUTHENTIK_SECRET_KEY=notastorepath"
];
services.authentik = {
enable = true;
environmentFile = authentik-env;
environmentFile = "/etc/authentik.env";
nginx = {
enable = true;
host = "localhost";

16
tests/override-scope.nix
View file

@ -18,11 +18,6 @@
*/
let
# use a root-owned EnvironmentFile in production instead (services.authentik.environmentFile)
authentik-env = pkgs.writeText "authentik-test-secret-env" ''
AUTHENTIK_SECRET_KEY=thissecretwillbeinthenixstore
'';
customWelcome = "Welcome to custom authentik";
# creates a new scope using python 3.12 for mkPoetryEnv
@ -61,9 +56,18 @@ pkgs.nixosTest {
"${pkgs.path}/nixos/tests/common/x11.nix"
];
# Keep in mind that the secret still ends up in the store and is world-readable because the
# systemd-tmpfiles config lands in the store.
# This is just a trick to not pass a store-path (which is prohibited) to `environmentFile`
# without having to integrate secret managers like agenix or sops-nix into the test.
# Don't do this in production.
systemd.tmpfiles.rules = [
"f /etc/authentik.env 0700 root root - AUTHENTIK_SECRET_KEY=notastorepath"
];
services.authentik = {
enable = true;
environmentFile = authentik-env;
environmentFile = "/etc/authentik.env";
nginx = {
enable = true;
host = "localhost";