From c5992aba9141f41e0720b5954045797e1504573b Mon Sep 17 00:00:00 2001 From: isabel Date: Thu, 13 Nov 2025 14:16:24 +0000 Subject: [PATCH] nixos/wakapi: streamline password salt & smtp password config --- nixos/modules/services/web-apps/wakapi.nix | 76 +++++++++------------- nixos/tests/wakapi.nix | 74 ++++++++++++--------- 2 files changed, 72 insertions(+), 78 deletions(-) diff --git a/nixos/modules/services/web-apps/wakapi.nix b/nixos/modules/services/web-apps/wakapi.nix index 6634e4894546..7d3f06db9854 100644 --- a/nixos/modules/services/web-apps/wakapi.nix +++ b/nixos/modules/services/web-apps/wakapi.nix @@ -18,11 +18,34 @@ let types mkIf optional - mkMerge singleton + mkRemovedOptionModule ; in { + imports = [ + (mkRemovedOptionModule [ + "services" + "wakapi" + "passwordSalt" + ] "Use services.wakapi.environmentFiles instead.") + (mkRemovedOptionModule [ + "services" + "wakapi" + "passwordSaltFile" + ] "Use services.wakapi.environmentFiles instead.") + (mkRemovedOptionModule [ + "services" + "wakapi" + "smtpPassword" + ] "Use services.wakapi.environmentFiles instead.") + (mkRemovedOptionModule [ + "services" + "wakapi" + "smtpPasswordFile" + ] "Use services.wakapi.environmentFiles instead.") + ]; + options.services.wakapi = { enable = mkEnableOption "Wakapi"; package = mkPackageOption pkgs "wakapi" { }; @@ -45,33 +68,11 @@ in ''; }; - passwordSalt = mkOption { - type = types.nullOr types.str; - default = null; + environmentFiles = mkOption { + type = types.listOf types.path; + default = [ ]; description = '' - The password salt to use for Wakapi. - ''; - }; - passwordSaltFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - The path to a file containing the password salt to use for Wakapi. - ''; - }; - - smtpPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The password used for the smtp mailed to used by Wakapi. - ''; - }; - smtpPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - The path to a file containing the password for the smtp mailer used by Wakapi. + Use this to set `WAKAPI_PASSWORD_SALT` and `WAKAPI_MAIL_SMTP_PASS`. ''; }; @@ -148,14 +149,7 @@ in ''; serviceConfig = { - Environment = mkMerge [ - (mkIf (cfg.passwordSalt != null) "WAKAPI_PASSWORD_SALT=${cfg.passwordSalt}") - (mkIf (cfg.smtpPassword != null) "WAKAPI_MAIL_SMTP_PASS=${cfg.smtpPassword}") - ]; - - EnvironmentFile = - (lib.optional (cfg.passwordSaltFile != null) cfg.passwordSaltFile) - ++ (lib.optional (cfg.smtpPasswordFile != null) cfg.smtpPasswordFile); + EnvironmentFile = cfg.environmentFiles; User = config.users.users.wakapi.name; Group = config.users.users.wakapi.group; @@ -196,18 +190,6 @@ in }; assertions = [ - { - assertion = cfg.passwordSalt != null || cfg.passwordSaltFile != null; - message = "Either `services.wakapi.passwordSalt` or `services.wakapi.passwordSaltFile` must be set."; - } - { - assertion = !(cfg.passwordSalt != null && cfg.passwordSaltFile != null); - message = "Both `services.wakapi.passwordSalt` and `services.wakapi.passwordSaltFile` should not be set at the same time."; - } - { - assertion = !(cfg.smtpPassword != null && cfg.smtpPasswordFile != null); - message = "Both `services.wakapi.smtpPassword` and `services.wakapi.smtpPasswordFile` should not be set at the same time."; - } { assertion = cfg.database.createLocally -> cfg.settings.db.dialect != null; message = "`services.wakapi.database.createLocally` is true, but a database dialect is not set!"; diff --git a/nixos/tests/wakapi.nix b/nixos/tests/wakapi.nix index 14b0a9b3ceb5..5d30bde150d5 100644 --- a/nixos/tests/wakapi.nix +++ b/nixos/tests/wakapi.nix @@ -3,44 +3,56 @@ name = "Wakapi"; nodes = { - wakapiPsql = { - services.wakapi = { - enable = true; - settings = { - server.port = 3000; # upstream default, set explicitly in case upstream changes it - db = { - dialect = "postgres"; # `createLocally` only supports postgres - host = "/run/postgresql"; - port = 5432; # service will fail if port is not set - name = "wakapi"; - user = "wakapi"; + wakapiPsql = + { pkgs, ... }: + { + services.wakapi = { + enable = true; + settings = { + server.port = 3000; # upstream default, set explicitly in case upstream changes it + db = { + dialect = "postgres"; # `createLocally` only supports postgres + host = "/run/postgresql"; + port = 5432; # service will fail if port is not set + name = "wakapi"; + user = "wakapi"; + }; }; + + # Automatically create our database + database.createLocally = true; # only works with Postgresql for now + + # Created with `cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w ${1:-32} | head -n 1` + # In production you should use sops-nix, agenix or something alike. + environmentFiles = [ + (pkgs.writeText "env" '' + WAKAPI_PASSWORD_SALT=NpqCY7eY7fMoIWYmPx5mAgr6YoSlXSuI + '') + ]; }; - - # Automatically create our database - database.createLocally = true; # only works with Postgresql for now - - # Created with `cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w ${1:-32} | head -n 1` - # Prefer passwordSaltFile in production. - passwordSalt = "NpqCY7eY7fMoIWYmPx5mAgr6YoSlXSuI"; }; - }; - wakapiSqlite = { - services.wakapi = { - enable = true; - settings = { - server.port = 3001; - db = { - dialect = "sqlite3"; - name = "wakapi"; - user = "wakapi"; + wakapiSqlite = + { pkgs, ... }: + { + services.wakapi = { + enable = true; + settings = { + server.port = 3001; + db = { + dialect = "sqlite3"; + name = "wakapi"; + user = "wakapi"; + }; }; - }; - passwordSalt = "NpqCY7eY7fMoIWYmPx5mAgr6YoSlXSuI"; + environmentFiles = [ + (pkgs.writeText "env" '' + WAKAPI_PASSWORD_SALT=NpqCY7eY7fMoIWYmPx5mAgr6YoSlXSuI + '') + ]; + }; }; - }; }; # Test that service works under both postgresql and sqlite3