Automatically generate jwt secret

2025-11-22 02:41:35 +01:00 · 2024-09-14 20:28:27 +02:00
parent 38ad33a53d
commit 36ec24731d
4 changed files with 36 additions and 35 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -61,11 +61,13 @@
          api = {
            type = "app";
            program = "${pkgs.writeShellScriptBin "api-setup" ''
-              ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO 'a42kVyAhTImYxZeebZkApoAZLmf0VtDA'"
+              JWT_SECRET=$(head -c 64 /dev/urandom | base64 | tr -d '/+=' | head -c 64)
+
+              ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'"

              ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.outPath}/rest-api/db/migrations up

-              PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="a42kVyAhTImYxZeebZkApoAZLmf0VtDA" ${pkgs.postgrest}/bin/postgrest
+              PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
            ''}/bin/api-setup";
          };
        }
--- a/nix/demo-server/default.nix
+++ b/nix/demo-server/default.nix
@@ -65,7 +65,6 @@
  services.archtika = {
    enable = true;
    package = localArchtikaPackage;
-    jwtSecret = /var/lib/archtika-jwt-secret.txt;
    domain = "qs.archtika.com";
    acmeEmail = "thilo.hohlt@tutanota.com";
    dnsProvider = "porkbun";
--- a/nix/demo-server/hardware-configuration.nix
+++ b/nix/demo-server/hardware-configuration.nix
@@ -1,32 +1,41 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_scsi"
+    "sr_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/04fa460b-c39f-47f8-bece-c044d767209c";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/04fa460b-c39f-47f8-bece-c044d767209c";
+    fsType = "ext4";
+  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/BA11-3E3D";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/abace260-6904-4b38-8532-0235f77cb2bf"; }
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/BA11-3E3D";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
    ];
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/abace260-6904-4b38-8532-0235f77cb2bf"; } ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -34,11 +34,6 @@ in
      description = "Name of the PostgreSQL database for archtika.";
    };

-    jwtSecret = mkOption {
-      type = types.either types.str types.path;
-      description = "JWT secret for archtika. Can be a string or a path to a file containing the secret";
-    };
-
    apiPort = mkOption {
      type = types.port;
      default = 5000;
@@ -106,19 +101,15 @@ in
        Restart = "always";
      };

-      script =
-        let
-          getSecret = if isPath cfg.jwtSecret then "cat ${cfg.jwtSecret}" else "echo -n '${cfg.jwtSecret}'";
-        in
-        ''
-          JWT_SECRET=$(${getSecret})
+      script = ''
+        JWT_SECRET=$(head -c 64 /dev/urandom | base64 | tr -d '/+=' | head -c 64)

-          ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'"
+        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'"

-          ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up
+        ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up

-          PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
-        '';
+        PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
+      '';
    };

    systemd.services.archtika-web = {