Open basvandijk opened 7 years ago
@basvandijk You can mark redmine as complete as of 18.09 as a passwordFile option has been added.
@basvandijk the owncloud module was removed so you can tick that off.
This is a related topic I started on Discourse: In configuration.nix can I read a value from a file?
services.mattermost.localDatabasePassword
needs adjustment too.
Related is my PR which adds types.secretPath
: https://github.com/NixOS/nixpkgs/pull/78640
List Updates These options now exist:
services.grafana.database.passwordFile
services.grafana.security.secretKeyFile
services.grafana.security.adminPasswordFile
These options need an associated passwordFile
option:
services.grafana.provision.datasources.*.password
services.grafana.provision.datasources.*.basicAuthPassword
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/any-default-config-for-reproducible-configurations/5268/17
services.mattermost.localDatabasePassword
is not possible via file as well.
I think we should add to this list the mpd module, which now gets the ability to store it's password "<pwd>@permissions"
entry outside the store, at https://github.com/NixOS/nixpkgs/pull/95599 .
I just noticed that virtualisation.oci-containers.containers.<name>.environment
doesn't allow scripting:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/oci-containers.nix#L242
Container environment variables are frequently used for secrets, too, thus I think we should provide an easy way to include them. I see a few different ways to solve this:
environmentFiles
option that reads variables from files, similar to the passwordFile
optionsUPDATE: For Vault it's not the optimal solution, but this approach can be suitable for other services that have secrets in (somewhat) arbitary places in the config file BUT can not load multiple config files.
For hashicorp Vault here's a PR that lets you upload the config via NixOps or use any path. https://github.com/NixOS/nixpkgs/pull/107323
I don't think I've seen this approach before. Example config:
{ config, ... }:
{
services.vault.storageConfig = ''connection_url = "${somethingSensitive}"'';
services.vault.configPath = "/run/keys/vault.hcl";
users.users.vault.extraGroups = ["keys"];
deployment.keys."vault.hcl" = {
text = config.services.vault.configText;
user = "vault";
};
}
Note, vault storageConfig isn't super sensitive because a leak isn't supposed to affect confidentiality or integrity, but it will affect availability and accountability.
I'm trying to fix wpa_supplicant (networking.wireless
) in #134618. Could anyone help by reviewing it?
There are now docs for how to handle this for new modules at https://github.com/NixOS/nixpkgs/pull/142282
These docs handle the easy part of the problem. They are about how use use secrets outside of the store, not how to manage the secrets themselves. Ideally we wouldn't need to push this complexity onto the user.
We can probably tick the networking.wireless.networks.*.psk
box now that https://github.com/NixOS/nixpkgs/pull/134618 was merged.
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/agenix-encrypted-plaintext-passwords-and-builtins-readfile/18425/8
Some boxes can be checked (β done, π module removed, β option doesn't seem to exist anymore):
basicAuth
β
services.almir.director_password
π
services.btsync.httpPass
π
services.buildbot-worker.workerPass
β
services.cassandra.keyStorePassword
βservices.cassandra.trustStorePassword
βservices.cfdyndns.apikey
β
services.coturn.cli-password
β
(can be stored as a hash)services.coturn.static-auth-secret
β
services.crowd.openidPassword
β
services.dd-agent.api_key
β
(now services.datadog-agent.apiKeyFile
)services.ddclient.password
β
services.frab.secretKeyBas
π
services.grafana.database.password
β
(grafana-specific alternative pointed in option's doc)services.grafana.security.adminPassword
β
(grafana-specific alternative pointed in option's doc)services.grafana.security.secretKey
β
(grafana-specific alternative pointed in option's doc)services.httpd.extraSubservices.*
β (maybe I'm missing something)services.panamax.secretKey
π
services.prometheus.*.consul_sd_config.password
β
(now services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.password_file
)services.prometheus.*.scrape_config.basic_auth.password
β
(now services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.password_file
)services.redis.requirePass
β
(now services.redis.servers.<name>.requirePassFile
)services.tor.torsocks.socks5Password
β
(although it should maybe first be better documented that using systemd.services.tor.serviceConfig.EnvironmentFile
is possible)services.tt-rss.database.password
β
services.wakeonlan.interfaces.*.password
π
Maybe some unsecure options appeared in new modules since then!
Is there a conclusion to this issue that specifies exactly what behaviour is?
Can someone edit the issue? @basvandijk maybe :)
Introduction
Dear module authors and maintainers,
We currently have many modules that force users to store their secrets in the world-readble Nix store. This is bad for security. We should give users the option of specifying their secrets in individual files which can be stored outside the Nix store with suitable ownership and permissions. Users could then also use
nixops
to manage their secret files.There's still the convenient but unsafe option of storing the secret file in the Nix store using
pkgs.writeTextFile
. If https://github.com/NixOS/nix/issues/8 gets resolved these files can be encrypted / made private. Also see: https://github.com/NixOS/rfcs/pull/5.Proposal
The list below contains all the options that force a secret being stored in the Nix store. I propose the following:
Each option should get a warning in the documentation of the form: "Warning: this secret is stored in the world-readable Nix store!"
Each option should get an alternative
passwordFile
option.For backwards compatibility the
passwordFile
option should get a default based on thepassword
option:Some upstream programs don't support setting a password using a file. In that case an issue should be created in the upstream issue-tracker asking for that feature. (See https://github.com/namecoin/namecoin-core/issues/148 for example). A URL to the issue should be placed in the list below and in the documentation of the
password
option so that it's easier to track when it gets resolved.If after some time (lets use September 2017 for now) the upstream developers have not provided the feature to specify the password by file, the NixOS module should be changed such that the config file that contains the password is written to
/run
before the service starts up. So something like the following:Lets use this issue for planning and to track progress. Please mention in the comments if you have provided a
passwordFile
option for one of the options below. Then I check the box to indicate it has been resolved. See PR https://github.com/NixOS/nixpkgs/pull/24146 for reference.If we make sure the new options are backwards compatible we could consider cherry-picking them onto
release-17.03
making sure users get these security fixes ASAP.Secret options
[x]
basicAuth
nixos/modules/services/web-servers/nginx/vhost-options.nix#L118 @globin[x]
networking.defaultMailServer.authPass
nixos/modules/programs/ssmtp.nix#L92 PR: https://github.com/NixOS/nixpkgs/pull/24331[x]
networking.wireless.networks.*.psk
nixos/modules/services/networking/wpa_supplicant.nix#L49 @edolstra[x]
security.duosec.skey
nixos/modules/security/duosec.nix#L59 @thoughtpolice[x]
services.aiccu.password
nixos/modules/services/networking/aiccu.nix#L48@edwtjo mentions: SixXS is closing down its IPv6 tunnel in June so it doesn't seem worth the effort to create a patch for aiccu to support password files. Lets just remove the service in 0606.[ ]
services.almir.director_password
nixos/modules/services/backup/almir.nix#L129 @domenkozar[ ]
services.bacula-dir.password
nixos/modules/services/backup/bacula.nix#L313 @domenkozar Feature request for a PasswordFile parameter[ ]
services.bacula-[fd|sd].director.*.password
nixos/modules/services/backup/bacula.nix#L114 @domenkozar See the feature request above.[x]
services.bepasty.servers.*.secretKey
nixos/modules/services/misc/bepasty.nix#L72 @makefu PR: https://github.com/NixOS/nixpkgs/pull/24755[ ]
services.btsync.httpPass
nixos/modules/services/networking/btsync.nix#L175 @thoughtpolice[x]
services.buildbot-worker.workerPass
nixos/modules/services/continuous-integration/buildbot/worker.nix#L56 @nand0p[x]
services.cadvisor.storageDriverPassword
nixos/modules/services/monitoring/cadvisor.nix#L54 @offlinehacker PR: https://github.com/NixOS/nixpkgs/pull/24341[ ]
services.cassandra.keyStorePassword
nixos/modules/services/databases/cassandra.nix#L236 @cransom See: https://issues.apache.org/jira/browse/CASSANDRA-13428[ ]
services.cassandra.trustStorePassword
nixos/modules/services/databases/cassandra.nix#L241 @cransom See: https://issues.apache.org/jira/browse/CASSANDRA-13428[ ]
services.cgminer.pools.*.password
nixos/modules/services/misc/cgminer.nix#L60 @offlinehacker[ ]
services.cjdns.authorizedPasswords
nixos/modules/services/networking/cjdns.nix#L103 @ehmry[x]
services.cfdyndns.apikey
nixos/modules/services/misc/cfdyndns.nix#L20 @colemickens[x]
services.coturn.cli-password
nixos/modules/services/networking/coturn.nix#L249 @Ralith[x]
services.coturn.static-auth-secret
nixos/modules/services/networking/coturn.nix#L174 @Ralith[ ]
services.cpuminer-cryptonight.pass
nixos/modules/services/misc/cpuminer-cryptonight.nix#L38 @ehmry[x]
services.crowd.openidPassword
nixos/modules/services/web-apps/atlassian/crowd.nix#L53 @fpletz @globin[x]
services.dd-agent.api_key
nixos/modules/services/monitoring/dd-agent.nix#L112 @shlevy[ ]
services.ddclient.password
nixos/modules/services/networking/ddclient.nix#L47 @rbvermaa[ ]
services.factorio.game-password
nixos/modules/services/games/factorio.nix#L144 @elitak[ ]
services.factorio.password
nixos/modules/services/games/factorio.nix#L130 @elitak[ ]
services.frab.secretKeyBas
nixos/modules/services/web-apps/frab.nix#L118 @fpletz[ ]
services.gammu-smsd.backend.sql.password
nixos/modules/services/misc/gammu-smsd.nix#L192 @zohl[x]
services.gitlab.databasePassword
nixos/modules/services/misc/gitlab.nix#L203 @fpletz @offlinehacker PR: #31358[x]
services.gitlab.secrets.secret
nixos/modules/services/misc/gitlab.nix#L326 @fpletz @offlinehacker PR: #31358[x]
services.gitlab.smtp.password
nixos/modules/services/misc/gitlab.nix#L295 @fpletz @offlinehacker[x]
services.gogs.database.password
nixos/modules/services/misc/gogs.nix#L102 @schneefux PR: https://github.com/NixOS/nixpkgs/pull/25116[x]
services.grafana.database.password
nixos/modules/services/monitoring/grafana.nix#L137 @offlinehacker[x]
services.grafana.security.adminPassword
nixos/modules/services/monitoring/grafana.nix#L157 @offlinehacker[x]
services.grafana.security.secretKey
nixos/modules/services/monitoring/grafana.nix#L163 @offlinehacker[ ]
services.graylog.passwordSecret
nixos/modules/services/logging/graylog.nix#L68 @fadenb[ ]
services.graylog.rootPasswordSha2
nixos/modules/services/logging/graylog.nix#L82 @fadenb[ ]
services.hologram-server.ldapBindPassword
nixos/modules/services/security/hologram-server.nix#L68 @nand0p[x]
services.hostapd.wpaPassphrase
nixos/modules/services/networking/hostapd.nix#L124[x]
services.httpd.extraSubservices..."limesurvey"...adminPassword
nixos/modules/services/web-servers/apache-httpd/limesurvey.nix#L143 @offlinehacker[x]
services.httpd.extraSubservices..."limesurvey"...dbPassword
nixos/modules/services/web-servers/apache-httpd/limesurvey.nix#L131 @offlinehacker[x]
services.httpd.extraSubservices..."mediawiki"...dbPassword
nixos/modules/services/web-servers/apache-httpd/mediawiki.nix#L207 @shlevy @ip1981[x]
services.httpd.extraSubservices..."owncloud"...adminPassword
nixos/modules/services/web-servers/apache-httpd/owncloud.nix#L403 @matejc[x]
services.httpd.extraSubservices..."owncloud"...dbPassword
nixos/modules/services/web-servers/apache-httpd/owncloud.nix#L429 @matejc[x]
services.httpd.extraSubservices..."owncloud"...SMTPPass
nixos/modules/services/web-servers/apache-httpd/owncloud.nix#L527 @matejc[x]
services.httpd.extraSubservices..."wordpress"...dbPassword
nixos/modules/services/web-servers/apache-httpd/wordpress.nix#L138 @qknight PR: https://github.com/NixOS/nixpkgs/pull/24146[ ]
services.i2pd.proto.http.pass
nixos/modules/services/networking/i2pd.nix#L351 @edwtjo[ ]
services.icecast.admin.password
nixos/modules/services/audio/icecast.nix#L62 @k0ral[x]
services.longview.mysqlPassword
nixos/modules/services/monitoring/longview.nix#L78 @rvl PR: https://github.com/NixOS/nixpkgs/pull/24366[x]
services.matrix-synapse.macaroon_secret_key
nixos/modules/services/misc/matrix-synapse.nix#L545 @roblabla[x]
services.matrix-synapse.registration_shared_secret
nixos/modules/services/misc/matrix-synapse.nix#L453 @roblabla[x]
services.matrix-synapse.turn_shared_secret
nixos/modules/services/misc/matrix-synapse.nix#L434 @roblabla[x]
services.matrix-synapse.recaptcha_private_key
nixos/modules/services/misc/matrix-synapse.nix#L404 @roblabla[ ]
services.mattermost.localDatabasePassword
nixos/modules/services/web-apps/mattermost.nix#L108 @fpletz[x]
services.murmur.password
nixos/modules/services/networking/murmur.nix#L105 @thoughtpolice[ ]
services.mysql.replication.masterPassword
nixos/modules/services/databases/mysql.nix#L149 @edolstra[ ]
services.namecoind.rpc.password
nixos/modules/services/networking/namecoind.nix#L90 @rnhmjoj See: https://github.com/namecoin/namecoin-core/issues/148[ ]
services.nntp-proxy.upstreamPassword
nixos/modules/services/networking/nntp-proxy.nix#L99 @fadenb[ ]
services.oauth2_proxy.cookie.secret
nixos/modules/services/security/oauth2_proxy.nix#L371 @jml[ ]
services.panamax.secretKey
nixos/modules/services/cluster/panamax.nix#L63 @matejc[x]
services.prometheus.*.consul_sd_config.password
nixos/modules/services/monitoring/prometheus/default.nix#L243 @fpletz @doshitan[ ]
services.prometheus.*.scrape_config.basic_auth.password
nixos/modules/services/monitoring/prometheus/default.nix#L128 @fpletz @doshitan[ ]
services.prometheus.unifiExporter.unifiPassword
nixos/modules/services/monitoring/prometheus/unifi-exporter.nix#L45 @fpletz @doshitan[x]
services.redis.requirePass
nixos/modules/services/databases/redis.nix#L160 @offlinehacker[x]
services.redmine.databasePassword
nixos/modules/services/misc/redmine.nix#L103 @domenkozar[ ]
services.redsocks.redsocks.password
nixos/modules/services/networking/redsocks.nix#L109 @Ekleog[ ]
services.rippleDataApi.couchdb.pass
nixos/modules/services/misc/ripple-data-api.nix#L109 @offlinehacker[ ]
services.rippled.ports.*.password
nixos/modules/services/misc/rippled.nix#L114 @ehmry[ ]
services.selfoss.database.password
nixos/modules/services/web-apps/selfoss.nix#L89 @regnat[ ]
services.terraria..password
nixos/modules/services/games/terraria.nix#L50 @pshendry @garbas[ ]
services.tor.torsocks.socks5Password
nixos/modules/services/security/torsocks.nix#L89 @thoughtpolice[x]
services.tt-rss.database.password
nixos/modules/services/web-apps/tt-rss.nix#L163 @zohl[x]
services.tt-rss.email.password
nixos/modules/services/web-apps/tt-rss.nix#L291 @zohl[ ]
services.wakeonlan.interfaces.*.password
nixos/modules/services/networking/wakeonlan.nix#L32[ ]
services.yandex-disk.password
nixos/modules/services/network-filesystems/yandex-disk.nix#L38 @grwlf @7c6f434c[x]
services.zabbixServer.dbPassword
nixos/modules/services/monitoring/zabbix-server.nix#L66 @robbererThis list was compiled by running the following in
<nixpkgs>
and manually inspecting and processing the result: