search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.41k stars 13.62k forks source link

services.openvpn.servers.<name>.authUserPass should allow paths #312283

Open tbaumann opened 4 months ago

tbaumann commented 4 months ago 
services.openvpn.servers.<name>.authUserPass.password = "SECRET";

is very useful. But it's also quite a bad pattern because it exposes the password in clear in the config and nix store.

Most Nixos users use agenix for the purpose. But using strings is still a total antipattern and not compatible with agenix best practices.

It would be best if services.openvpn.servers.<name>.authUserPass could also be of type path pointing to a local file (outside of nix store!) that is used at runtime.

bad

authUserPass.password = builtins.readFile config.age.secrets.stack_baumann-cbxgate_cbxnet_de-password.path;

good

authUserPass = config.age.secrets.stack_baumann-cbxgate_cbxnet_de-password.path;

Expected behavior

Allow paths for authUserPass.

Notify maintainers

@viric @peterhoeg

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

› nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.8.9, NixOS, 24.05 (Uakari), 24.05.20240512.3281bec`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - nixpkgs: `/nix/store/y1nw9w1s0ly6442igksfq29v0cfbnmfd-source`

Add a :+1: reaction to issues you find important.

tbaumann commented 4 months ago

For anyone looking for a workaround

services.openvpn.servers = {
    foobar  = { 
      config = ''
        config ${config.age.secrets.foobar-ovpn.path}
        auth-user-pass  ${config.age.secrets.foobar-auth-user-pass.path}
        '';
      updateResolvConf = false;
#      up = "${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved";
#      down = "${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved";
    };
  };
# uncomment above if you can't use this because you don't have the update-systemd-resolved flake
  programs.update-systemd-resolved.servers.cbxnet.includeAutomatically = true;
tbaumann commented 4 months ago

sub-issue as you can see above. openvpn doesn't use update-systemd-resolved when updateResolvConf is used. Which I think is default in nixos, or at least very common.