wordpress: replace the dbPassword option with dbPasswordFile

[basvandijk]

We shouldn't force users to store passwords in the world-readable Nix store so this commit replaces the dbPassword option with dbPasswordFile which should be set to a file that contains the wordpress DB password. Users can then provision this file however they want, either by storing it unsafely in the Nix store using pkgs.writeTextFile or safely using something like nixops key management.

It would be great if this can also be cherry-picked on release-17.03.

[mention-bot]

@basvandijk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @qknight, @grahamc and @ehmry to be potential reviewers.

[globin]

I'd prefer to have both options.

[basvandijk]

@globin I prefer to make users conscious about the safety of their keys. An option like dbPassword kind of hides the fact that the key is stored in the world-readable Nix store. Of course documentation can help but not everybody reads that.

The dbPasswordFile option forces users to think where they are going to store the key.

Of course the old unsafe behaviour is easy to recreate using pkgs.writeTextFile as I do in the test.

[basvandijk]

@globin I changed my mind and followed your preference. dbPasswordFile now defaults to a file in the Nix store with the value of dbPassword. I added documentation to warn users about the security issues.

The nice thing is that this is also backwards compatible.

[LnL7]

It's possible to add warnings when using certain options.

[RonnyPfannschmidt]

btw, as is, this one is a breaking change

[basvandijk]

@RonnyPfannschmidt what breaks because of this change?

[RonnyPfannschmidt]

@basvandijk any user that has this already configured afterwards has a broken configuration, because the old thing is gone, there is not the slightest hint of a transition help either

[basvandijk]

@RonnyPfannschmidt the old thing isn't gone. The change should be backwards compatible.

[RonnyPfannschmidt]

indeed, i am sorry, i missed the pkgs.writeTextFile bit

[LnL7]

I'm not sure, but I think more complex defaults like this are usually moved to the implementation with a mkDefault

[globin]

Correct, otherwise the manual is rebuilt when dbPassword changes in your config.

[LnL7]

Also, where's the config attrset for this module?

[basvandijk]

@globin note that wordpress is not mentioned in the manual.

@LnL7 wordpress.nix is not a traditional NixOS module and doesn't have a config attribute. It should be used as:

{ 
  services.httpd.extraSubservices = [
    { serviceType = "wordpress";
      dbName = "...";
      themes = [];
      plugins = [];
    }
  ];
}

So there's no need and no place to use mkDefault.

[LnL7]

I see 😕. https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix#L145

[basvandijk]

Similarly to other web-apps I added an example to the dbPasswordFile option: "/run/keys/wordpress-dbpassword".

Is there anything that prevents this being mergeable?

[qknight]

love this concept, we should not stop at password(s) though. wordpress also contains other key materials as AUTH_KEY, AUTH_SALT, ... shown here:

 https://api.wordpress.org/secret-key/1.1/salt/

same is true for owncloud/nextcloud and so on.

[basvandijk]

@qknight thanks and I agree that AUTH_KEY and so forth should not be placed in the Nix store as well. However at the moment the wordpress module doesn't set these parameters so (apart from the dbPassword option) users aren't currently being forced to do something unsafe.

[basvandijk]

@qknight thanks for the merge! Can this also be cherry-picked on release-17.03? I would like to use this in production.

[basvandijk]

Hi @qknight, it would be great if you can cherry pick this on release-17.03.

[qknight]

@basvandijk added it to release-17.03 just now. please check if it works for you.