Update the NixOS module to handle config files more securely.
This addresses some of the low-hanging fruit identified in #2451
1) Stop writing config files to the world-readable nix store
Instead, write to /etc/docspell-restserver.conf and /etc/docspell-joex.conf readable only by the docspell user.
2) Provide a configFile option
Allow the user to specify the path to a config file. They can use this to point to a file they've secured with their preferred secret management scheme (to avoid leaking sensitive info in the nixos configuration itself).
Only generate a config file if this option is left unspecified.
eikek
commented
1 day ago
Update the NixOS module to handle config files more securely.
This addresses some of the low-hanging fruit identified in #2451
1) Stop writing config files to the world-readable nix store
Instead, write to
/etc/docspell-restserver.confand/etc/docspell-joex.confreadable only by the docspell user.2) Provide a
configFileoptionAllow the user to specify the path to a config file. They can use this to point to a file they've secured with their preferred secret management scheme (to avoid leaking sensitive info in the nixos configuration itself).
Only generate a config file if this option is left unspecified.
Example usage: https://codeberg.org/ivanbrennan/nixos-config/commit/0d34b183dfe3e04421cb6044e67d974b83260630