From dc8db5fbeed811a5703ddfd000d4dc6aaebe6346 Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Sat, 13 Aug 2022 11:43:01 +0800 Subject: [PATCH] rfq: do not write email password to the Nix store --- nixbld-etc-nixos/rfq/src/rfq/__init__.py | 9 ++++++++- nixbld-etc-nixos/rfq/uwsgi-config.nix | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/nixbld-etc-nixos/rfq/src/rfq/__init__.py b/nixbld-etc-nixos/rfq/src/rfq/__init__.py index 35734cff..aa3a58ff 100644 --- a/nixbld-etc-nixos/rfq/src/rfq/__init__.py +++ b/nixbld-etc-nixos/rfq/src/rfq/__init__.py @@ -14,6 +14,13 @@ from werkzeug.middleware.proxy_fix import ProxyFix load_dotenv() +mail_password_file = getenv("FLASK_MAIL_PASSWORD_FILE") +if mail_password_file is not None: + with open(mail_password_file, "r") as f: + mail_password = f.read().strip() +else: + mail_password = None + app = Flask(__name__) app.config.update( DEBUG=getenv("FLASK_DEBUG") == "True", @@ -22,7 +29,7 @@ app.config.update( MAIL_USE_SSL=getenv("FLASK_MAIL_USE_SSL"), MAIL_DEBUG=False, MAIL_USERNAME=getenv("FLASK_MAIL_USERNAME"), - MAIL_PASSWORD=getenv("FLASK_MAIL_PASSWORD"), + MAIL_PASSWORD=mail_password, MAIL_RECIPIENT=getenv("FLASK_MAIL_RECIPIENT"), MAIL_SENDER=getenv("FLASK_MAIL_SENDER") ) diff --git a/nixbld-etc-nixos/rfq/uwsgi-config.nix b/nixbld-etc-nixos/rfq/uwsgi-config.nix index 68093da6..edec3f6c 100644 --- a/nixbld-etc-nixos/rfq/uwsgi-config.nix +++ b/nixbld-etc-nixos/rfq/uwsgi-config.nix @@ -11,7 +11,7 @@ in { "FLASK_MAIL_PORT=465" "FLASK_MAIL_USE_SSL=True" "FLASK_MAIL_USERNAME=sysop@m-labs.hk" - "FLASK_MAIL_PASSWORD=${import /etc/nixos/secret/sysop_password.nix}" + "FLASK_MAIL_PASSWORD_FILE=/etc/nixos/secret/rfqpassword" "FLASK_MAIL_RECIPIENT=sales@m-labs.hk" "FLASK_MAIL_SENDER=sysop@m-labs.hk" ];