NixOS · symphorien · May 27, 2022 · May 27, 2022 · May 27, 2022 · May 27, 2022
diff --git a/lib/types.nix b/lib/types.nix
@@ -56,6 +56,7 @@ let
     concatStringsSep
     escapeNixString
     isCoercibleToString
+    hasPrefix
     ;
   inherit (lib.trivial)
     boolToString
@@ -395,6 +396,30 @@ rec {
       merge = mergeEqualOption;
     };
 
+    secretFile = let
+      type = mkOptionType {
+        name = "secretFile";
+        description = "quoted path to a secret file";
+        # either the return value of makeWorldReadable or a proper string. We
+        # deliberately refuse paths, because toString x and "${x}" behave
+        # differently. Some modules might handle paths correctly, others will
+        # not, and anyway users can either quote the path or use makeWorldReadable.
+        check = x: ((isCoercibleToString x && (x.canBePublic or false)) || (isString x && !(hasPrefix "/nix/store" x))) && (hasPrefix "/" "${x}");
+        merge = mergeEqualOption;
+      };
+      makeWorldReadable = path:
+        # to make "${returnValue}" work, but still being able to store an attribute in it
+        if lib.isAttrs path then
+          path // { canBePublic = true; }
+        else
+          let res = {
+            toString = _: "${path}";
+            canBePublic = true;
+          };
+        in res;
+    in
+      type // { inherit makeWorldReadable; };
+
     listOf = elemType: mkOptionType rec {
       name = "listOf";
       description = "list of ${elemType.description}";

diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md
@@ -20,6 +20,23 @@ merging is handled.
     coerced to a string. Even if derivations can be considered as
     paths, the more specific `types.package` should be preferred.
 
+`types.secretFile`
+
+:   A string representing a filesystem path (starting with "/") to a file which
+    is supposed to remain secret.
+    Depending on how the module is implemented, setting an option of type
+    `types.path` to the literal value `/etc/secret_file` can make nix copy the
+    secret file at `nixos-rebuild` time to the store and thus make it world
+    readable. To avoid this behavior, it is enough to quote the path:
+    `"/etc/secret_file"`. This solution is simple, but it is easy to forget
+    about it. `types.secretFile` is design to prevent such mistakes.
+    Compared to `types.path`, this type adds further restrictions:
+    - only strings (as opposed to unquoted paths) are accepted as input.
+    - the string must not start by `/nix/store/`.
+    To bypass these restrictions you can pass the value to the function
+    `types.secretFile.makeWorldReadable`. This can be useful when writing NixOS
+    tests, as in this case the secret file is only an example value.
+
 `types.package`
 
 :   A top-level store path. This can be an attribute set pointing

diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml
@@ -37,6 +37,46 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <literal>types.secretFile</literal>
+        </term>
+        <listitem>
+          <para>
+            A string representing a filesystem path (starting with
+            <quote>/</quote>) to a file which is supposed to remain
+            secret. Depending on how the module is implemented, setting
+            an option of type <literal>types.path</literal> to the
+            literal value <literal>/etc/secret_file</literal> can make
+            nix copy the secret file at <literal>nixos-rebuild</literal>
+            time to the store and thus make it world readable. To avoid
+            this behavior, it is enough to quote the path:
+            <literal>&quot;/etc/secret_file&quot;</literal>. This
+            solution is simple, but it is easy to forget about it.
+            <literal>types.secretFile</literal> is design to prevent
+            such mistakes. Compared to <literal>types.path</literal>,
+            this type adds further restrictions:
+          </para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>
+                only strings (as opposed to unquoted paths) are accepted
+                as input.
+              </para>
+            </listitem>
+            <listitem>
+              <para>
+                the string must not start by
+                <literal>/nix/store/</literal>. To bypass these
+                restrictions you can pass the value to the function
+                <literal>types.secretFile.makeWorldReadable</literal>.
+                This can be useful when writing NixOS tests, as in this
+                case the secret file is only an example value.
+              </para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
       <varlistentry>
         <term>
           <literal>types.package</literal>

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -36,6 +36,36 @@
           PHP now defaults to PHP 8.1, updated from 8.0.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The NixOS module system now has a type
+          <literal>secretFile</literal> for options which contain the
+          path to a file that should remain secret. This is to avoid
+          mistakes where one writes
+          <literal>services.miniflux.adminCredentialsFile = /etc/secret</literal>
+          instead of
+          <literal>services.miniflux.adminCredentialsFile = &quot;/etc/secret&quot;;</literal>
+          which makes nix copy <literal>/etc/secret</literal> to the
+          store where everyone could read it. A number of modules have
+          been converted to use it. This is a breaking change visible by
+          an error message like this:
+        </para>
+        <programlisting>
+error: A definition for option `services.miniflux.adminCredentialsFile' is not of type `quoted path to a secret file'. Definition values:
+     - In `nixos/lib/build-vms.nix': /etc/secret
+</programlisting>
+        <para>
+          To fix the issue you must assess whether leaking
+          <literal>/etc/secret</literal> to the store and thus all local
+          users is a problem. If it is the case, then add quotes:
+          <literal>services.miniflux.adminCredentialsFile = &quot;/etc/secrets&quot;</literal>.
+          If you notice this during upgrade, your secret probably has
+          already leaked and it may be a good time to change it. If
+          leaking this file is acceptable (for example in a NixOS test),
+          you can keep the old behavior like this:
+          <literal>services.miniflux.adminCredentialsFile = lib.types.secretFile.makeWorldReadable /etc/secret</literal>.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-22.11-new-services">

diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -19,6 +19,25 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - PHP now defaults to PHP 8.1, updated from 8.0.
 
+- The NixOS module system now has a type `secretFile` for options which contain
+  the path to a file that should remain secret. This is to avoid mistakes where
+  one writes `services.miniflux.adminCredentialsFile = /etc/secret` instead of
+  `services.miniflux.adminCredentialsFile = "/etc/secret";` which makes nix
+  copy `/etc/secret` to the store where everyone could read it. A number of
+  modules have been converted to use it. This is a breaking change visible by
+  an error message like this:
+  ```
+  error: A definition for option `services.miniflux.adminCredentialsFile' is not of type `quoted path to a secret file'. Definition values:
+       - In `nixos/lib/build-vms.nix': /etc/secret
+  ```
+  To fix the issue you must assess whether leaking `/etc/secret` to the store
+  and thus all local users is a problem. If it is the case, then add quotes:
+  `services.miniflux.adminCredentialsFile = "/etc/secrets"`. If you notice this
+  during upgrade, your secret probably has already leaked and it may be a good
+  time to change it. If leaking this file is acceptable (for example in a NixOS
+  test), you can keep the old behavior like this:
+  `services.miniflux.adminCredentialsFile = lib.types.secretFile.makeWorldReadable /etc/secret`.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## New Services {#sec-release-22.11-new-services}

diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
@@ -554,7 +554,7 @@ let
       };
 
       credentialsFile = mkOption {
-        type = types.path;
+        type = types.secretFile;
         inherit (defaultAndText "credentialsFile" null) default defaultText;
         description = ''
           Path to an EnvironmentFile for the cert's service containing any required and

diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix
@@ -48,7 +48,7 @@ in {
       };
 
       keyFiles = mkOption {
-        type = types.listOf types.path;
+        type = types.listOf types.secretFile;
         default = [];
         description = ''
           A list of files containing additional configuration

diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix
@@ -40,7 +40,7 @@ in
       };
 
       adminCredentialsFile = mkOption  {
-        type = types.path;
+        type = types.secretFile;
         description = ''
           File containing the ADMIN_USERNAME and
           ADMIN_PASSWORD (length >= 6) in the format of

diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
@@ -18,12 +18,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let
   dnsConfig = nodes: {
     dnsProvider = "exec";
     dnsPropagationCheck = false;
-    credentialsFile = pkgs.writeText "wildcard.env" ''
+    credentialsFile = lib.types.secretFile.makeWorldReadable (pkgs.writeText "wildcard.env" ''
       EXEC_PATH=${dnsScript nodes}
       EXEC_POLLING_INTERVAL=1
       EXEC_PROPAGATION_TIMEOUT=1
       EXEC_SEQUENCE_INTERVAL=1
-    '';
+    '');
   };
 
   documentRoot = pkgs.runCommand "docroot" {} ''

diff --git a/nixos/tests/knot.nix b/nixos/tests/knot.nix
@@ -29,12 +29,12 @@ let
     paths = [ exampleZone delegatedZone ];
   };
   # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
-  tsigFile = pkgs.writeText "tsig.conf" ''
+  tsigFile = lib.types.secretFile.makeWorldReadable (pkgs.writeText "tsig.conf" ''
     key:
       - id: slave_key
         algorithm: hmac-sha256
         secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
-  '';
+  '');
 in {
   name = "knot";
   meta = with pkgs.lib.maintainers; {

diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix
@@ -7,14 +7,14 @@ let
   defaultPort = 8080;
   defaultUsername = "admin";
   defaultPassword = "password";
-  adminCredentialsFile = pkgs.writeText "admin-credentials" ''
+  adminCredentialsFile = lib.types.secretFile.makeWorldReadable (pkgs.writeText "admin-credentials" ''
             ADMIN_USERNAME=${defaultUsername}
             ADMIN_PASSWORD=${defaultPassword}
-          '';
-  customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
+          '');
+  customAdminCredentialsFile = lib.types.secretFile.makeWorldReadable (pkgs.writeText "admin-credentials" ''
             ADMIN_USERNAME=${username}
             ADMIN_PASSWORD=${password}
-          '';
+          '');
 
 in
 with lib;