digitallyinduced · mpscholten · Nov 12, 2024
diff --git a/IHP/Server.hs b/IHP/Server.hs
@@ -110,11 +110,17 @@ initSessionMiddleware FrameworkConfig { sessionCookie } = do
     let path = "Config/client_session_key.aes"
 
     hasSessionSecretEnvVar <- EnvVar.hasEnvVar "IHP_SESSION_SECRET"
+    hasSessionSecretFileEnvVar <- EnvVar.hasEnvVar "IHP_SESSION_SECRET_FILE"
     doesConfigDirectoryExist <- Directory.doesDirectoryExist "Config"
     store <- clientsessionStore <$>
-            if hasSessionSecretEnvVar || not doesConfigDirectoryExist
-                then ClientSession.getKeyEnv "IHP_SESSION_SECRET"
-                else ClientSession.getKey path
+            if hasSessionSecretFileEnvVar
+                then do
+                    path <- EnvVar.env "IHP_SESSION_SECRET_FILE"
+                    ClientSession.getKey path
+                else
+                    if hasSessionSecretEnvVar || not doesConfigDirectoryExist
+                        then ClientSession.getKeyEnv "IHP_SESSION_SECRET"
+                        else ClientSession.getKey path
     let sessionMiddleware :: Middleware = withSession store "SESSION" sessionCookie sessionVaultKey
     pure sessionMiddleware
 

diff --git a/NixSupport/nixosModules/app.nix b/NixSupport/nixosModules/app.nix
@@ -9,6 +9,7 @@ in
         ihp.nixosModules.services_app
         ihp.nixosModules.services_worker
         ihp.nixosModules.services_migrate
+        ihp.nixosModules.services_appKeygen
     ];
 
     # Pin the nixpkgs to the IHP nixpkgs

diff --git a/NixSupport/nixosModules/options.nix b/NixSupport/nixosModules/options.nix
@@ -68,6 +68,21 @@ with lib;
 
         sessionSecret = mkOption {
             type = types.str;
+            descriptiom = ''
+                It's recommended to use sessionSecretFile instead
+            '';
+        };
+
+        sessionSecretFile = mkOption {
+            type = types.path;
+            default = "/var/ihp/session.aes";
+            descriptiom = ''
+                The session secret is stored here.
+
+                If the file doesn't exists, the service will generate a new key automatically.
+
+                When the key changes all users need to relogin.
+            '';
         };
 
         additionalEnvVars = mkOption {

diff --git a/NixSupport/nixosModules/services/app-keygen.nix b/NixSupport/nixosModules/services/app-keygen.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, modulesPath, lib, self, ... }:
+let
+    cfg = config.services.ihp;
+    openssl = "${pkgs.openssl}/bin/openssl";
+    base64 = "${pkgs.coreutils}/bin/base64";
+in
+{
+    systemd.services.app-keygen = {
+        description = "App Session Key Generation";
+        wantedBy = [ "multi-user.target" ];
+        before = [ "app.service" ];
+        script = ''
+            mkdir -p "$(dirname "${cfg.sessionSecretFile}")"
+
+            if [ -n "${cfg.sessionSecret or ""}" ]; then
+                # If sessionSecret is set, decode and write it to the file
+                echo "${cfg.sessionSecret}" | ${base64} -d > "${cfg.sessionSecretFile}"
+            elif [ ! -f "${cfg.sessionSecretFile}" ]; then
+                # If sessionSecret is not set, generate a new secret
+                ${openssl} rand 96 > "${cfg.sessionSecretFile}"
+            fi
+
+            chmod 600 "${cfg.sessionSecretFile}"
+        '';
+        serviceConfig.Type = "oneshot";
+    };
+}
diff --git a/NixSupport/nixosModules/services/app.nix b/NixSupport/nixosModules/services/app.nix
@@ -6,7 +6,7 @@ in
     systemd.services.app = {
         description = "IHP App";
         enable = true;
-        after = [ "network.target" ];
+        after = [ "network.target" "app-keygen.service" ];
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
             Type = "simple";
@@ -22,7 +22,7 @@ in
                     IHP_BASEURL = cfg.baseUrl;
                     IHP_REQUEST_LOGGER_IP_ADDR_SOURCE = cfg.requestLoggerIPAddrSource;
                     DATABASE_URL = cfg.databaseUrl;
-                    IHP_SESSION_SECRET = cfg.sessionSecret;
+                    IHP_SESSION_SECRET_FILE = cfg.sessionSecretFile;
                     GHCRTS = cfg.rtsFlags;
                 };
             in

diff --git a/NixSupport/nixosModules/services/worker.nix b/NixSupport/nixosModules/services/worker.nix
@@ -5,7 +5,7 @@ in
 {
     systemd.services.worker = {
         enable = true;
-        after = [ "network.target" ];
+        after = [ "network.target" "app-keygen.service" ];
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
             Type = "simple";
@@ -21,7 +21,7 @@ in
                     IHP_BASEURL = cfg.baseUrl;
                     IHP_REQUEST_LOGGER_IP_ADDR_SOURCE = cfg.requestLoggerIPAddrSource;
                     DATABASE_URL = cfg.databaseUrl;
-                    IHP_SESSION_SECRET = cfg.sessionSecret;
+                    IHP_SESSION_SECRET_FILE = cfg.sessionSecretFile;
                     GHCRTS = cfg.rtsFlags;
                 };
             in

diff --git a/flake.nix b/flake.nix
@@ -47,6 +47,7 @@
                     services_worker = ./NixSupport/nixosModules/services/worker.nix;
                     services_migrate = ./NixSupport/nixosModules/services/migrate.nix;
                     services_loadSchema = ./NixSupport/nixosModules/services/loadSchema.nix;
+                    services_appKeygen = ./NixSupport/nixosModules/services/app-keygen.nix;
                     options = ./NixSupport/nixosModules/options.nix;
                     binaryCache = ./NixSupport/nixosModules/binaryCache.nix;
                 };