diff --git a/flake.nix b/flake.nix index da7d60f..741ef17 100644 --- a/flake.nix +++ b/flake.nix @@ -61,11 +61,13 @@ api = { type = "app"; program = "${pkgs.writeShellScriptBin "api-setup" '' - ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO 'a42kVyAhTImYxZeebZkApoAZLmf0VtDA'" + JWT_SECRET=$(head -c 64 /dev/urandom | base64 | tr -d '/+=' | head -c 64) + + ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'" ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.outPath}/rest-api/db/migrations up - PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="a42kVyAhTImYxZeebZkApoAZLmf0VtDA" ${pkgs.postgrest}/bin/postgrest + PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest ''}/bin/api-setup"; }; } diff --git a/nix/demo-server/default.nix b/nix/demo-server/default.nix index db2b97b..6e0a9b9 100644 --- a/nix/demo-server/default.nix +++ b/nix/demo-server/default.nix @@ -65,7 +65,6 @@ services.archtika = { enable = true; package = localArchtikaPackage; - jwtSecret = /var/lib/archtika-jwt-secret.txt; domain = "qs.archtika.com"; acmeEmail = "thilo.hohlt@tutanota.com"; dnsProvider = "porkbun"; diff --git a/nix/demo-server/hardware-configuration.nix b/nix/demo-server/hardware-configuration.nix index 1e06801..7303acb 100644 --- a/nix/demo-server/hardware-configuration.nix +++ b/nix/demo-server/hardware-configuration.nix @@ -1,32 +1,41 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_scsi" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/04fa460b-c39f-47f8-bece-c044d767209c"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/04fa460b-c39f-47f8-bece-c044d767209c"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/BA11-3E3D"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/abace260-6904-4b38-8532-0235f77cb2bf"; } + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/BA11-3E3D"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" ]; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/abace260-6904-4b38-8532-0235f77cb2bf"; } ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/nix/module.nix b/nix/module.nix index 15f84f4..c9f5611 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -34,11 +34,6 @@ in description = "Name of the PostgreSQL database for archtika."; }; - jwtSecret = mkOption { - type = types.either types.str types.path; - description = "JWT secret for archtika. Can be a string or a path to a file containing the secret"; - }; - apiPort = mkOption { type = types.port; default = 5000; @@ -106,19 +101,15 @@ in Restart = "always"; }; - script = - let - getSecret = if isPath cfg.jwtSecret then "cat ${cfg.jwtSecret}" else "echo -n '${cfg.jwtSecret}'"; - in - '' - JWT_SECRET=$(${getSecret}) + script = '' + JWT_SECRET=$(head -c 64 /dev/urandom | base64 | tr -d '/+=' | head -c 64) - ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" + ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" - ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up + ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up - PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest - ''; + PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest + ''; }; systemd.services.archtika-web = {