diff options
Diffstat (limited to 'flake.nix')
| -rw-r--r-- | flake.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix index 0b0e039..4366190 100644 --- a/flake.nix +++ b/flake.nix @@ -124,6 +124,12 @@ example = "/run/secrets/kittybox-shared-secret"; description = "A shared secret that will, when passed, allow unlimited editing access to database. Keep it safe."; }; + cookieSecretFile = mkOption { + type = types.str; + default = "/var/lib/kittybox/cookie_secret_key"; + example = "/run/secrets/kittybox-cookie-secret"; + description = "A secret file to encrypt cookies with the contents of. Should be at least 32 bytes in length. A random persistent file will be generated if this variable is left untouched."; + }; }; }; config = lib.mkIf cfg.enable { @@ -139,6 +145,7 @@ cfg.authorizationEndpoint cfg.internalTokenFile cfg.bind cfg.port + cfg.cookieSecretFile ]; environment = { @@ -151,6 +158,7 @@ #REDIS_URI = if (cfg.redisUri == null) then "redis://127.0.0.1:6379/" else cfg.redisUri; BACKEND_URI = cfg.backendUri; RUST_LOG = "${cfg.logLevel}"; + COOKIE_SECRET_FILE = "${cfg.cookieSecretFile}"; }; script = '' @@ -159,6 +167,9 @@ export KITTYBOX_INTERNAL_TOKEN=$(${pkgs.coreutils}/bin/cat ${cfg.internalTokenFile}) fi ''} + if [[ ${cfg.cookieSecretFile} == /var/lib/kittybox/cookie_secret_key && ! -f /var/lib/kittybox/cookie_secret_key ]]; then + cat /dev/urandom | tr -Cd '[:alnum:]' | head -c 128 > /var/lib/kittybox/cookie_secret_key + fi exec ${cfg.package}/bin/kittybox ''; |