nixos/atlassian-jira: allow to store SSO password for crowd outside of the Nix store

The option `services.jira.sso.applicationPassword` has been replaced by
`applicationPasswordFile` that needs to be readable by the `jira`-user
or group.

The new `crowd.properties` is created on startup in `~jira` and the
secret is injected into it using `replace-secret`.
This commit is contained in:
Maximilian Bosch 2022-07-16 12:57:28 +02:00
parent 9ffd87773a
commit 765cc35042
No known key found for this signature in database
GPG key ID: 091DBF4D1FC46B8E
2 changed files with 35 additions and 21 deletions

View file

@ -8,21 +8,22 @@ let
pkg = cfg.package.override (optionalAttrs cfg.sso.enable {
enableSSO = cfg.sso.enable;
crowdProperties = ''
application.name ${cfg.sso.applicationName}
application.password ${cfg.sso.applicationPassword}
application.login.url ${cfg.sso.crowd}/console/
crowd.server.url ${cfg.sso.crowd}/services/
crowd.base.url ${cfg.sso.crowd}/
session.isauthenticated session.isauthenticated
session.tokenkey session.tokenkey
session.validationinterval ${toString cfg.sso.validationInterval}
session.lastvalidation session.lastvalidation
'';
});
crowdProperties = pkgs.writeText "crowd.properties" ''
application.name ${cfg.sso.applicationName}
application.password @NIXOS_JIRA_CROWD_SSO_PWD@
application.login.url ${cfg.sso.crowd}/console/
crowd.server.url ${cfg.sso.crowd}/services/
crowd.base.url ${cfg.sso.crowd}/
session.isauthenticated session.isauthenticated
session.tokenkey session.tokenkey
session.validationinterval ${toString cfg.sso.validationInterval}
session.lastvalidation session.lastvalidation
'';
in
{
@ -112,9 +113,9 @@ in
description = "Exact name of this JIRA instance in Crowd";
};
applicationPassword = mkOption {
applicationPasswordFile = mkOption {
type = types.str;
description = "Application password of this JIRA instance in Crowd";
description = "Path to the file containing the application password of this JIRA instance in Crowd";
};
validationInterval = mkOption {
@ -181,6 +182,7 @@ in
JIRA_HOME = cfg.home;
JAVA_HOME = "${cfg.jrePackage}";
CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;
JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties";
};
preStart = ''
@ -191,6 +193,14 @@ in
-e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \
'') + ''
${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml
${optionalString cfg.sso.enable ''
install -m660 ${crowdProperties} ${cfg.home}/crowd.properties
${pkgs.replace-secret}/bin/replace-secret \
'@NIXOS_JIRA_CROWD_SSO_PWD@' \
${cfg.sso.applicationPasswordFile} \
${cfg.home}/crowd.properties
''}
'';
serviceConfig = {
@ -204,4 +214,10 @@ in
};
};
};
imports = [
(mkRemovedOptionModule [ "services" "jira" "sso" "applicationPassword" ] ''
Use `applicationPasswordFile` instead!
'')
];
}

View file

@ -3,7 +3,7 @@
, fetchurl
, gawk
, enableSSO ? false
, crowdProperties ? null
, makeWrapper
}:
stdenv.mkDerivation rec {
@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
sha256 = "sha256-Zog0m8tsx8mDLU1rsW5zhhHgyRmi4JGWuy9DV8yp9nY=";
};
nativeBuildInputs = [ makeWrapper ];
buildPhase = ''
mv conf/server.xml conf/server.xml.dist
ln -sf /run/atlassian-jira/server.xml conf/server.xml
@ -27,10 +29,6 @@ stdenv.mkDerivation rec {
substituteInPlace atlassian-jira/WEB-INF/classes/seraph-config.xml \
--replace com.atlassian.jira.security.login.JiraSeraphAuthenticator \
com.atlassian.jira.security.login.SSOSeraphAuthenticator
'' + lib.optionalString (crowdProperties != null) ''
cat <<EOF > atlassian-jira/WEB-INF/classes/crowd.properties
${crowdProperties}
EOF
'';
installPhase = ''
@ -41,6 +39,6 @@ stdenv.mkDerivation rec {
description = "Proprietary issue tracking product, also providing project management functions";
homepage = "https://www.atlassian.com/software/jira";
license = licenses.unfree;
maintainers = with maintainers; [ fpletz globin ciil megheaiulian techknowlogick ];
maintainers = with maintainers; [ fpletz globin ciil megheaiulian techknowlogick ma27 ];
};
}