RFC: support loading tokens from files

book/default.nix

@@ -1,4 +1,5 @@
-{ lib, stdenv, nix-gitignore, mdbook, mdbook-linkcheck, python3, callPackage, writeScript
+{ lib, stdenv, nix-gitignore, mdbook, mdbook-linkcheck, python3, callPackage, writeScript, nixosOptionsDoc
+, eval
 , attic ? null
 }:
 
@@ -8,6 +9,39 @@ let
       inherit attic;
     };
   in if attic != null then help else null;
+
+  optionsDoc = nixosOptionsDoc {
+    inherit (eval) options;
+
+    # Default is currently "appendix".
+    documentType = "none";
+
+    # Only produce Markdown
+    allowDocBook = false;
+    markdownByDefault = true;
+
+    warningsAreErrors = false;
+
+    transformOptions = let
+      ourPrefix = "${toString ../.}/";
+    in
+      opt:
+        opt
+        // {
+          # Disappear anything that's not one of ours.
+          visible = opt.visible && lib.hasInfix "atticd" opt.name;
+          declarations = map (decl: let
+            name = lib.removePrefix ourPrefix decl;
+          in
+            if lib.hasPrefix ourPrefix decl
+            then {
+              inherit name;
+              url = "https://github.com/zhaofengli/attic/blob/main/${name}";
+            }
+            else decl)
+          opt.declarations;
+        };
+  };
 in stdenv.mkDerivation {
   inherit colorizedHelp;
 
@@ -32,6 +66,11 @@ in stdenv.mkDerivation {
     emitColorizedHelp atticd
     emitColorizedHelp atticadm
 
+    {
+      echo "# NixOS Module Options"
+      cat ${optionsDoc.optionsCommonMark}
+    } >> src/reference/nixos-module-options.md
+
     mdbook build -d ./build
     cp -r ./build $out
   '';

book/src/SUMMARY.md

@@ -11,3 +11,4 @@
     - [attic](./reference/attic-cli.md)
     - [atticd](./reference/atticd-cli.md)
     - [atticadm](./reference/atticadm-cli.md)
+    - [NixOS module options](./reference/nixos-module-options.md)

book/src/reference/README.md

@@ -5,3 +5,4 @@ This section contains detailed listings of options and parameters accepted by At
 - [`attic` CLI](./attic-cli.md)
 - [`atticd` CLI](./atticd-cli.md)
 - [`atticadm` CLI](./atticadm-cli.md)
+- [NixOS module options](./reference/nixos-module-options.md)

flake.nix

@@ -47,10 +47,40 @@
       ))
     ];
 
-  in flake-parts.lib.mkFlake { inherit inputs; } {
+  in flake-parts.lib.mkFlake { inherit inputs; } ({ inputs, self, ... }: {
     imports = modules;
     systems = supportedSystems;
 
     debug = true;
-  };
+
+    flake.nixosConfigurations.example = inputs.nixpkgs.lib.nixosSystem {
+      modules = [
+        self.nixosModules.atticd
+
+        ({ pkgs, ... }: {
+          nixpkgs.hostPlatform = "x86_64-linux";
+          services.atticd = {
+            enable = true;
+            credentials.server-token-rs256-secret-base64-file = pkgs.runCommand "rs256.pkcs11.b64" {} ''
+              ${lib.getExe pkgs.openssl} genrsa -traditional 4096 | base64 -w0 > "$out"
+            '';
+            credentials."foo*".import = true;
+            credentials."foo*".encrypted = true;
+            credentials.this.value = "that";
+            credentials.this.encrypted = true;
+            credentials.this.set = true;
+            settings = {
+              jwt = { };
+              chunking = {
+                nar-size-threshold = 1;
+                min-size = 64 * 1024;
+                avg-size = 128 * 1024;
+                max-size = 256 * 1024;
+              };
+            };
+          };
+        })
+      ];
+    };
+  });
 }

flake/packages.nix

@@ -79,7 +79,8 @@ in
           };
 
           book = pkgs.callPackage ../book {
-            attic = self'.packages.attic;
+            inherit (self'.packages) attic;
+            eval = self.nixosConfigurations.example;
           };
         };
       }

integration-tests/basic/default.nix

@@ -1,6 +1,7 @@
 { pkgs, lib, config, flake, attic, ... }:
 let
   inherit (lib) types;
+  inherit (import ./keys.nix pkgs) snakeOilRsaPrivateKeyBase64 snakeOilRsaPrivateKeyBase64Text;
 
   serverConfigFile = config.nodes.server.services.atticd.configFile;
 
@@ -122,6 +123,38 @@ let
       '';
     };
   };
+
+  tokenModules = {
+    environmentFile = {
+      server = {
+        services.atticd.environmentFile = "/etc/atticd.env";
+      };
+    };
+
+    loadCredentialEncrypted = let
+      enc = "/run/rs256.pkcs11.b64.enc";
+    in {
+      server = {
+        services.atticd.credentials.server-token-rs256-secret-base64-file = {
+          encrypted = true;
+          value = enc;
+        };
+      };
+
+      testScript = ''
+        server.succeed("systemd-creds encrypt --name=server-token-rs256-secret-base64-file ${snakeOilRsaPrivateKeyBase64} ${enc}")
+      '';
+    };
+
+    setCredential = {
+      server = {
+        services.atticd.credentials.server-token-rs256-secret-base64-file = cred: {
+          set = true;
+          value = snakeOilRsaPrivateKeyBase64Text;
+        };
+      };
+    };
+  };
 in {
   options = {
     database = lib.mkOption {
@@ -132,27 +165,30 @@ in {
       type = types.enum [ "local" "minio" ];
       default = "local";
     };
+    token = lib.mkOption {
+      type = types.enum [ "environmentFile" "loadCredentialEncrypted" "setCredential" ];
+      default = "environmentFile";
+    };
   };
 
   config = {
-    name = "basic-${config.database}-${config.storage}";
+    name = "basic-${config.database}-${config.storage}-${config.token}";
 
     nodes = {
       server = {
         imports = [
           flake.nixosModules.atticd
           (databaseModules.${config.database}.server or {})
           (storageModules.${config.storage}.server or {})
+          (tokenModules.${config.token}.server or {})
         ];
 
-        # For testing only - Don't actually do this
         environment.etc."atticd.env".text = ''
-          ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64='LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBekhqUzFGKzlRaFFUdlJZYjZ0UGhxS09FME5VYkIraTJMOTByWVBNQVVoYVBUMmlKCmVUNk9vWFlmZWszZlZ1dXIrYks1VWFVRjhUbEx2Y1FHa1Arckd0WDRiQUpGTWJBcTF3Y25FQ3R6ZGVERHJnSlIKMGUvNWJhdXQwSS9YS0ticG9oYjNvWVhtUmR5eG9WVGE3akY1bk11ajBsd25kUTcwYTF1ZGkzMGNpYkdTWHZMagpVeGltL3ByYjUrV3ZPdjN4UnhlbDZHYmptUW1RMVBHeHVLcmx3b1ZKRnlWTjl3QmExajBDelJDcURnTFRwQWw0CjhLVWlDY2V1VUZQcmdZaW9vSVhyVExlWmxVbFVVV3FHSDBJbGFKeVUyQ05iNWJtZWM1TnZ4RDlaakFoYytucmgKRS80VzkxajdQMFVyQnp4am9NUTRlKzBPZDhmQnBvSDAwbm4xUXdJREFRQUJBb0lCQUE2RmxEK21Ed3gyM1pJRAoxSGJBbHBuQ0IwaEhvbFJVK0Q5OC96d3k5ZlplaU00VWVCTUcyTjFweE1HTWIweStqeWU4UkVJaXJNSGRsbDRECllvNEF3bmUwODZCRUp3TG81cG4vOVl2RjhqelFla1ZNLzkrZm9nRGlmUVUvZWdIMm5NZzR4bHlQNUhOWXdicmEKQ25SNVNoQlRQQzdRQWJOa0hRTFU3bUwrUHowZUlXaG9KWVRoUUpkU0g3RDB0K1QwZzVVNDdPam5qbXJaTWwxaApHOE1IUHhKMk5WU1l2N0dobnpjblZvcVVxYzlxeldXRDZXZERtV1BPNGJ1K2p0b2E2U2o4cjJtb0RRZ1A5YXNhCm93RUFJbHBmbVkxYUx2dENwWG4rejRTTWJKcHRXMlVvaktGa2dkYm9jZmtXYWdtSGZRa2xmS0dBQ0hibU9ZV24KeDRCbTU3a0NnWUVBN1dXaXJDZnBRR01hR3A2WWxMQlVUc1VJSXJOclF4UmtuRlc3dFVYd0NqWFZ5SDlTR3FqNgphTkNhYzZpaks3QVNBYXlxY1JQRjFPY2gyNmxpVmRKUHNuRGxwUjhEVXB2TzRVOVRzSTJyZ1lZYzNrSWkzVGFKClgzV0Vic1Z6Nk45WXFPSXlnVnZiTEhLS0F4Uyt4b1Z2SjkzQmdWRHN5SkxRdmhrM3VubXk3M2tDZ1lFQTNINnYKeUhOKzllOVAyOS9zMVY1eWZxSjdvdVdKV0lBTHFDYm9zOTRRSVdPSG5HRUtSSGkydWIzR0d6U2tRSzN1eTUrdQo4M0txaFJOejRVMkdOK1pLaFE0NHhNVmV4TUVvZzJVU3lTaVZ0cFdqWXBwT2Q1NnVaMzRWaFU2TWRNZS9zT0JnCnNoei84MUxUSis2cHdFZE9wV2tPVlRaMXJISlZXQmdtVk5qWjc1c0NnWUVBNVd5YjBaU2dyMEVYTVRLa2NzNFcKTENudXV0cDZodEZtaWsrd29IZCtpOStMUThFSU1BdXVOUzJrbHJJYlAxVmhrWXkxQzZMNFJkRTV2M2ZyT05XUApmL3ZyYzdDTkhZREdacWlyVUswWldvdXB5b0pQLzBsOWFXdkJHT3hxSUZ2NDZ2M3ZvV1NNWkdBdFVOenpvaGZDClhOeks3WmF2dndka0JOT0tNQVQ5RU1FQ2dZRUF3NEhaWDRWNUo1d2dWVGVDQ2RjSzhsb2tBbFpBcUNZeEw5SUEKTjZ4STVUSVpSb0dNMXhXcC81dlRrci9rZkMwOU5YUExiclZYbVZPY1JrTzFKTStmZDhjYWN1OEdqck11dHdMaAoyMWVQR0N3cWlQMkZZZTlqZVFTRkZJU0hhZXpMZll3V2NSZmhvdURudGRxYXpaRHNuU0kvd1RMZXVCOVFxU0lRCnF0NzByczBDZ1lCQ2lzV0VKdXpQUUlJNzVTVkU4UnJFZGtUeUdhOEVBOHltcStMdDVLRDhPYk80Q2JHYVFlWXkKWFpjSHVyOFg2cW1lWHZVU3MwMHBMMUdnTlJ3WCtSUjNMVDhXTm9vc0NqVDlEUW9GOFZveEtseDROVTRoUGlrTQpBc0w1RS9wYnVLeXkvSU5LTnQyT3ZPZmJYVitlTXZQdGs5c1dORjNyRTBYcU15TW9maG9NaVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo='
+          ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64='${snakeOilRsaPrivateKeyBase64Text}'
         '';
 
         services.atticd = {
           enable = true;
-          environmentFile = "/etc/atticd.env";
           settings = {
             listen = "[::]:8080";
 
@@ -184,6 +220,9 @@ in {
 
       ${databaseModules.${config.database}.testScript or ""}
       ${storageModules.${config.storage}.testScript or ""}
+      ${tokenModules.${config.token}.testScript or ""}
+
+      server.succeed('systemctl cat atticd.service 1>&2')
 
       server.wait_for_unit('atticd.service')
       client.wait_until_succeeds("curl -sL http://server:8080", timeout=40)
@@ -275,6 +314,7 @@ in {
 
       ${databaseModules.${config.database}.testScriptPost or ""}
       ${storageModules.${config.storage}.testScriptPost or ""}
+      ${tokenModules.${config.token}.testScriptPost or ""}
     '';
   };
 }

integration-tests/basic/keys.nix

@@ -0,0 +1,7 @@
+pkgs: let
+  snakeOilRsaPrivateKeyBase64Text = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBekhqUzFGKzlRaFFUdlJZYjZ0UGhxS09FME5VYkIraTJMOTByWVBNQVVoYVBUMmlKCmVUNk9vWFlmZWszZlZ1dXIrYks1VWFVRjhUbEx2Y1FHa1Arckd0WDRiQUpGTWJBcTF3Y25FQ3R6ZGVERHJnSlIKMGUvNWJhdXQwSS9YS0ticG9oYjNvWVhtUmR5eG9WVGE3akY1bk11ajBsd25kUTcwYTF1ZGkzMGNpYkdTWHZMagpVeGltL3ByYjUrV3ZPdjN4UnhlbDZHYmptUW1RMVBHeHVLcmx3b1ZKRnlWTjl3QmExajBDelJDcURnTFRwQWw0CjhLVWlDY2V1VUZQcmdZaW9vSVhyVExlWmxVbFVVV3FHSDBJbGFKeVUyQ05iNWJtZWM1TnZ4RDlaakFoYytucmgKRS80VzkxajdQMFVyQnp4am9NUTRlKzBPZDhmQnBvSDAwbm4xUXdJREFRQUJBb0lCQUE2RmxEK21Ed3gyM1pJRAoxSGJBbHBuQ0IwaEhvbFJVK0Q5OC96d3k5ZlplaU00VWVCTUcyTjFweE1HTWIweStqeWU4UkVJaXJNSGRsbDRECllvNEF3bmUwODZCRUp3TG81cG4vOVl2RjhqelFla1ZNLzkrZm9nRGlmUVUvZWdIMm5NZzR4bHlQNUhOWXdicmEKQ25SNVNoQlRQQzdRQWJOa0hRTFU3bUwrUHowZUlXaG9KWVRoUUpkU0g3RDB0K1QwZzVVNDdPam5qbXJaTWwxaApHOE1IUHhKMk5WU1l2N0dobnpjblZvcVVxYzlxeldXRDZXZERtV1BPNGJ1K2p0b2E2U2o4cjJtb0RRZ1A5YXNhCm93RUFJbHBmbVkxYUx2dENwWG4rejRTTWJKcHRXMlVvaktGa2dkYm9jZmtXYWdtSGZRa2xmS0dBQ0hibU9ZV24KeDRCbTU3a0NnWUVBN1dXaXJDZnBRR01hR3A2WWxMQlVUc1VJSXJOclF4UmtuRlc3dFVYd0NqWFZ5SDlTR3FqNgphTkNhYzZpaks3QVNBYXlxY1JQRjFPY2gyNmxpVmRKUHNuRGxwUjhEVXB2TzRVOVRzSTJyZ1lZYzNrSWkzVGFKClgzV0Vic1Z6Nk45WXFPSXlnVnZiTEhLS0F4Uyt4b1Z2SjkzQmdWRHN5SkxRdmhrM3VubXk3M2tDZ1lFQTNINnYKeUhOKzllOVAyOS9zMVY1eWZxSjdvdVdKV0lBTHFDYm9zOTRRSVdPSG5HRUtSSGkydWIzR0d6U2tRSzN1eTUrdQo4M0txaFJOejRVMkdOK1pLaFE0NHhNVmV4TUVvZzJVU3lTaVZ0cFdqWXBwT2Q1NnVaMzRWaFU2TWRNZS9zT0JnCnNoei84MUxUSis2cHdFZE9wV2tPVlRaMXJISlZXQmdtVk5qWjc1c0NnWUVBNVd5YjBaU2dyMEVYTVRLa2NzNFcKTENudXV0cDZodEZtaWsrd29IZCtpOStMUThFSU1BdXVOUzJrbHJJYlAxVmhrWXkxQzZMNFJkRTV2M2ZyT05XUApmL3ZyYzdDTkhZREdacWlyVUswWldvdXB5b0pQLzBsOWFXdkJHT3hxSUZ2NDZ2M3ZvV1NNWkdBdFVOenpvaGZDClhOeks3WmF2dndka0JOT0tNQVQ5RU1FQ2dZRUF3NEhaWDRWNUo1d2dWVGVDQ2RjSzhsb2tBbFpBcUNZeEw5SUEKTjZ4STVUSVpSb0dNMXhXcC81dlRrci9rZkMwOU5YUExiclZYbVZPY1JrTzFKTStmZDhjYWN1OEdqck11dHdMaAoyMWVQR0N3cWlQMkZZZTlqZVFTRkZJU0hhZXpMZll3V2NSZmhvdURudGRxYXpaRHNuU0kvd1RMZXVCOVFxU0lRCnF0NzByczBDZ1lCQ2lzV0VKdXpQUUlJNzVTVkU4UnJFZGtUeUdhOEVBOHltcStMdDVLRDhPYk80Q2JHYVFlWXkKWFpjSHVyOFg2cW1lWHZVU3MwMHBMMUdnTlJ3WCtSUjNMVDhXTm9vc0NqVDlEUW9GOFZveEtseDROVTRoUGlrTQpBc0w1RS9wYnVLeXkvSU5LTnQyT3ZPZmJYVitlTXZQdGs5c1dORjNyRTBYcU15TW9maG9NaVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=";
+
+  snakeOilRsaPrivateKeyBase64 = pkgs.writeText "rs256.pkcs1.b64" snakeOilRsaPrivateKeyBase64Text;
+in {
+  inherit snakeOilRsaPrivateKeyBase64 snakeOilRsaPrivateKeyBase64Text;
+}

integration-tests/default.nix

@@ -22,17 +22,20 @@ let
     matrix = {
       database = [ "sqlite" "postgres" ];
       storage = [ "local" "minio" ];
+      token = [ "environmentFile" "loadCredentialEncrypted" "setCredential" ];
     };
-  in builtins.listToAttrs (map (e: {
-    name = "basic-${e.database}-${e.storage}";
-    value = runTest {
+  in builtins.listToAttrs (map (e: let
+    test = runTest {
       imports = [
         ./basic
         {
-          inherit (e) database storage;
+          inherit (e) database storage token;
         }
       ];
     };
+  in {
+    inherit (test) name;
+    value = test;
   }) (lib.cartesianProduct matrix));
 in {
 } // basicTests