diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index bc0bf43522e0..fd89d763c7fb 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -8,21 +8,22 @@ let pkg = cfg.package.override (optionalAttrs cfg.sso.enable { enableSSO = cfg.sso.enable; - crowdProperties = '' - application.name ${cfg.sso.applicationName} - application.password ${cfg.sso.applicationPassword} - application.login.url ${cfg.sso.crowd}/console/ - - crowd.server.url ${cfg.sso.crowd}/services/ - crowd.base.url ${cfg.sso.crowd}/ - - session.isauthenticated session.isauthenticated - session.tokenkey session.tokenkey - session.validationinterval ${toString cfg.sso.validationInterval} - session.lastvalidation session.lastvalidation - ''; }); + crowdProperties = pkgs.writeText "crowd.properties" '' + application.name ${cfg.sso.applicationName} + application.password @NIXOS_JIRA_CROWD_SSO_PWD@ + application.login.url ${cfg.sso.crowd}/console/ + + crowd.server.url ${cfg.sso.crowd}/services/ + crowd.base.url ${cfg.sso.crowd}/ + + session.isauthenticated session.isauthenticated + session.tokenkey session.tokenkey + session.validationinterval ${toString cfg.sso.validationInterval} + session.lastvalidation session.lastvalidation + ''; + in { @@ -112,9 +113,9 @@ in description = "Exact name of this JIRA instance in Crowd"; }; - applicationPassword = mkOption { + applicationPasswordFile = mkOption { type = types.str; - description = "Application password of this JIRA instance in Crowd"; + description = "Path to the file containing the application password of this JIRA instance in Crowd"; }; validationInterval = mkOption { @@ -181,6 +182,7 @@ in JIRA_HOME = cfg.home; JAVA_HOME = "${cfg.jrePackage}"; CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions; + JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties"; }; preStart = '' @@ -191,6 +193,14 @@ in -e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \ '') + '' ${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml + + ${optionalString cfg.sso.enable '' + install -m660 ${crowdProperties} ${cfg.home}/crowd.properties + ${pkgs.replace-secret}/bin/replace-secret \ + '@NIXOS_JIRA_CROWD_SSO_PWD@' \ + ${cfg.sso.applicationPasswordFile} \ + ${cfg.home}/crowd.properties + ''} ''; serviceConfig = { @@ -204,4 +214,10 @@ in }; }; }; + + imports = [ + (mkRemovedOptionModule [ "services" "jira" "sso" "applicationPassword" ] '' + Use `applicationPasswordFile` instead! + '') + ]; } diff --git a/pkgs/servers/atlassian/jira.nix b/pkgs/servers/atlassian/jira.nix index 6434a756bcd8..5b4d9d695f50 100644 --- a/pkgs/servers/atlassian/jira.nix +++ b/pkgs/servers/atlassian/jira.nix @@ -3,7 +3,7 @@ , fetchurl , gawk , enableSSO ? false -, crowdProperties ? null +, makeWrapper }: stdenv.mkDerivation rec { @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { sha256 = "sha256-Zog0m8tsx8mDLU1rsW5zhhHgyRmi4JGWuy9DV8yp9nY="; }; + nativeBuildInputs = [ makeWrapper ]; + buildPhase = '' mv conf/server.xml conf/server.xml.dist ln -sf /run/atlassian-jira/server.xml conf/server.xml @@ -27,10 +29,6 @@ stdenv.mkDerivation rec { substituteInPlace atlassian-jira/WEB-INF/classes/seraph-config.xml \ --replace com.atlassian.jira.security.login.JiraSeraphAuthenticator \ com.atlassian.jira.security.login.SSOSeraphAuthenticator - '' + lib.optionalString (crowdProperties != null) '' - cat < atlassian-jira/WEB-INF/classes/crowd.properties - ${crowdProperties} - EOF ''; installPhase = '' @@ -41,6 +39,6 @@ stdenv.mkDerivation rec { description = "Proprietary issue tracking product, also providing project management functions"; homepage = "https://www.atlassian.com/software/jira"; license = licenses.unfree; - maintainers = with maintainers; [ fpletz globin ciil megheaiulian techknowlogick ]; + maintainers = with maintainers; [ fpletz globin ciil megheaiulian techknowlogick ma27 ]; }; }