From 34d1c55580cbf76bee01beef023b0d12d3f385cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 22 Jun 2021 09:07:50 +0200 Subject: [PATCH 1/2] nixos/go-neb: secret support --- nixos/modules/services/networking/go-neb.nix | 34 +++++++++++++++++--- nixos/tests/go-neb.nix | 12 +++---- 2 files changed, 36 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/networking/go-neb.nix b/nixos/modules/services/networking/go-neb.nix index 991ae38f30a5..765834fad83e 100644 --- a/nixos/modules/services/networking/go-neb.nix +++ b/nixos/modules/services/networking/go-neb.nix @@ -5,7 +5,8 @@ with lib; let cfg = config.services.go-neb; - configFile = pkgs.writeText "config.yml" (builtins.toJSON cfg.config); + settingsFormat = pkgs.formats.yaml {}; + configFile = settingsFormat.generate "config.yaml" cfg.config; in { options.services.go-neb = { enable = mkEnableOption "Extensible matrix bot written in Go"; @@ -16,13 +17,26 @@ in { default = ":4050"; }; + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/go-neb.env"; + description = '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: $ENVIRONMENT + or ''${VARIABLE}. + The file should contain lines formatted as SECRET_VAR=SECRET_VALUE. + This is useful to avoid putting secrets into the nix store. + ''; + }; + baseUrl = mkOption { type = types.str; description = "Public-facing endpoint that can receive webhooks."; }; config = mkOption { - type = types.uniq types.attrs; + inherit (settingsFormat) type; description = '' Your config.yaml as a Nix attribute set. See config.sample.yaml @@ -32,18 +46,30 @@ in { }; config = mkIf cfg.enable { - systemd.services.go-neb = { + systemd.services.go-neb = let + finalConfigFile = if cfg.secretFile == null then configFile else "/var/run/go-neb/config.yaml"; + in { description = "Extensible matrix bot written in Go"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = { BASE_URL = cfg.baseUrl; BIND_ADDRESS = cfg.bindAddress; - CONFIG_FILE = configFile; + CONFIG_FILE = finalConfigFile; }; serviceConfig = { + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "pre-start" '' + umask 077 + export $(xargs < ${cfg.secretFile}) + ${pkgs.envsubst}/bin/envsubst -i "${configFile}" > ${finalConfigFile} + chown go-neb ${finalConfigFile} + ''); + PermissionsStartOnly = true; + RuntimeDirectory = "go-neb"; ExecStart = "${pkgs.go-neb}/bin/go-neb"; + User = "go-neb"; DynamicUser = true; }; }; diff --git a/nixos/tests/go-neb.nix b/nixos/tests/go-neb.nix index f8801ff68d64..4bd03dcf3c6b 100644 --- a/nixos/tests/go-neb.nix +++ b/nixos/tests/go-neb.nix @@ -10,10 +10,11 @@ import ./make-test-python.nix ({ pkgs, ... }: services.go-neb = { enable = true; baseUrl = "http://localhost"; + secretFile = pkgs.writeText "secrets" "ACCESS_TOKEN=changeme"; config = { clients = [ { UserId = "@test:localhost"; - AccessToken = "changeme"; + AccessToken = "$ACCESS_TOKEN"; HomeServerUrl = "http://localhost"; Sync = false; AutoJoinRooms = false; @@ -33,11 +34,10 @@ import ./make-test-python.nix ({ pkgs, ... }: testScript = '' start_all() server.wait_for_unit("go-neb.service") - server.wait_until_succeeds( - "curl -fL http://localhost:4050/services/hooks/d2lraXBlZGlhX3NlcnZpY2U" - ) - server.wait_until_succeeds( - "journalctl -eu go-neb -o cat | grep -q service_id=wikipedia_service" + server.wait_until_succeeds("curl -fL http://localhost:4050/services/hooks/d2lraXBlZGlhX3NlcnZpY2U") + server.succeed( + "journalctl -eu go-neb -o cat | grep -q service_id=wikipedia_service", + "grep -q changeme /var/run/go-neb/config.yaml", ) ''; From bba5559d2c6ada773560bd89129c80b5bc9fcb2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 22 Jun 2021 11:20:02 +0200 Subject: [PATCH 2/2] go-neb: 2020-04-09 -> 2021-03-24 --- .../instant-messengers/go-neb/default.nix | 12 ++--- .../instant-messengers/go-neb/go-mod.patch | 50 ------------------- 2 files changed, 6 insertions(+), 56 deletions(-) delete mode 100644 pkgs/applications/networking/instant-messengers/go-neb/go-mod.patch diff --git a/pkgs/applications/networking/instant-messengers/go-neb/default.nix b/pkgs/applications/networking/instant-messengers/go-neb/default.nix index 04418dc64fcf..f1e335133d72 100644 --- a/pkgs/applications/networking/instant-messengers/go-neb/default.nix +++ b/pkgs/applications/networking/instant-messengers/go-neb/default.nix @@ -1,20 +1,20 @@ -{ lib, buildGoModule, fetchFromGitHub, nixosTests }: +{ lib, buildGoModule, fetchFromGitHub, nixosTests, olm }: buildGoModule { pname = "go-neb"; - version = "unstable-2020-04-09"; + version = "unstable-2021-03-24"; src = fetchFromGitHub { owner = "matrix-org"; repo = "go-neb"; - rev = "1e297c50ad2938e511a3c86f4b190fd3fc3559d6"; - sha256 = "1azwy4s4kmypps1fjbz76flpi1b7sjzjj4qwx94cry0hn3qfnrc6"; + rev = "b6edd50d6e33de3bcdb35055fa6c5f0157f45321"; + sha256 = "sha256-wFqkN4C0rWzWxa6+/LiHMMS8i/g3Q57f5z4cG2XZQzs="; }; subPackages = [ "." ]; - patches = [ ./go-mod.patch ]; + buildInputs = [ olm ]; - vendorSha256 = "1k3980yf6zl00dkd1djwhm2f9nnffzrsbs3kq3alpw2gm0aln739"; + vendorSha256 = "sha256-sWrLWjODf25Z8QqCDg4KyVWmTc3PRiYpRL88yxK0j/M"; doCheck = false; diff --git a/pkgs/applications/networking/instant-messengers/go-neb/go-mod.patch b/pkgs/applications/networking/instant-messengers/go-neb/go-mod.patch deleted file mode 100644 index 1c725652d431..000000000000 --- a/pkgs/applications/networking/instant-messengers/go-neb/go-mod.patch +++ /dev/null @@ -1,50 +0,0 @@ -diff --git a/go.mod b/go.mod -index 8ed4e68..83526e7 100644 ---- a/go.mod -+++ b/go.mod -@@ -4,24 +4,15 @@ go 1.14 - - require ( - github.com/PuerkitoBio/goquery v1.5.1 // indirect -- github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect -- github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4 // indirect - github.com/andygrunwald/go-jira v1.11.0 - github.com/beorn7/perks v1.0.1 // indirect -- github.com/cespare/xxhash/v2 v2.1.1 // indirect - github.com/dghubble/oauth1 v0.6.0 - github.com/die-net/lrucache v0.0.0-20190707192454-883874fe3947 -- github.com/go-kit/kit v0.9.0 // indirect -- github.com/go-logfmt/logfmt v0.4.0 // indirect -- github.com/go-stack/stack v1.8.0 // indirect -- github.com/gogo/protobuf v1.1.1 // indirect - github.com/golang/protobuf v1.3.2 // indirect - github.com/google/go-cmp v0.4.0 // indirect - github.com/google/go-github v2.0.1-0.20160719063544-b5e5babef39c+incompatible - github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 - github.com/jaytaylor/html2text v0.0.0-20200220170450-61d9dc4d7195 -- github.com/json-iterator/go v1.1.9 // indirect -- github.com/julienschmidt/httprouter v1.2.0 // indirect - github.com/kr/pretty v0.1.0 // indirect - github.com/lib/pq v1.3.0 - github.com/matrix-org/dugong v0.0.0-20180820122854-51a565b5666b -@@ -32,9 +23,6 @@ require ( - github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect - github.com/mmcdole/gofeed v1.0.0-beta2 - github.com/mmcdole/goxpp v0.0.0-20181012175147-0068e33feabf // indirect -- github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect -- github.com/modern-go/reflect2 v1.0.1 // indirect -- github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223 // indirect - github.com/olekukonko/tablewriter v0.0.4 // indirect - github.com/pkg/errors v0.8.1 // indirect - github.com/prometheus/client_golang v0.8.1-0.20160916180340-5636dc67ae77 -@@ -47,10 +35,7 @@ require ( - github.com/stretchr/testify v1.4.0 // indirect - golang.org/x/net v0.0.0-20200301022130-244492dfa37a - golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d -- golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect - golang.org/x/sys v0.0.0-20200122134326-e047566fdf82 // indirect -- golang.org/x/tools v0.0.0-20200311090712-aafaee8bce8c // indirect -- gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect - gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect - gopkg.in/yaml.v2 v2.2.8 - )