torjus/labmcp
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: add connectionStringFile option for PostgreSQL secrets

Browse Source 
The connectionString option stores credentials in the world-readable
Nix store. This adds connectionStringFile as an alternative that reads
the connection string from a file at runtime, compatible with secret
management tools like agenix or sops-nix.

Changes:
- Add database.connectionStringFile option (mutually exclusive with connectionString)
- Read connection string from file at service start when configured
- Add warning to connectionString documentation about Nix store visibility
- Update README with examples for both approaches

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-03 19:13:20 +01:00
parent f0adc9efbe
commit cc369e6385
2 changed files with 80 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -181,7 +181,8 @@ A NixOS module is provided for running the MCP server as a systemd service.
| `package` | package | from flake | Package to use |
| `database.type` | enum | `"sqlite"` | `"sqlite"` or `"postgres"` |
| `database.name` | string | `"nixos-options.db"` | SQLite database filename |
| `database.connectionString` | string | `""` | PostgreSQL connection URL |
| `database.connectionString` | string | `""` | PostgreSQL connection URL (stored in Nix store) |
| `database.connectionStringFile` | path | `null` | Path to file with PostgreSQL connection URL (recommended for secrets) |
| `indexOnStart` | list of string | `[]` | Revisions to index on service start |
| `user` | string | `"nixos-options-mcp"` | User to run the service as |
| `group` | string | `"nixos-options-mcp"` | Group to run the service as |
@@ -189,6 +190,8 @@ A NixOS module is provided for running the MCP server as a systemd service.
### PostgreSQL Example
Using `connectionString` (stored in Nix store - suitable for testing or non-sensitive setups):
```nix
{
services.nixos-options-mcp = {
@@ -202,6 +205,25 @@ A NixOS module is provided for running the MCP server as a systemd service.
}
```
Using `connectionStringFile` (recommended for production with sensitive credentials):
```nix
{
services.nixos-options-mcp = {
enable = true;
database = {
type = "postgres";
# File contains: postgres://user:secret@localhost/nixos_options?sslmode=disable
connectionStringFile = "/run/secrets/nixos-options-db";
};
indexOnStart = [ "nixos-unstable" ];
};
# Example with agenix or sops-nix for secret management
# age.secrets.nixos-options-db.file = ./secrets/nixos-options-db.age;
}
```
## Development
```bash

67
nix/module.nix
View File

@@ -3,8 +3,14 @@
let
cfg = config.services.nixos-options-mcp;
# Determine database URL based on configuration
# For postgres with connectionStringFile, the URL is set at runtime via script
useConnectionStringFile = cfg.database.type == "postgres" && cfg.database.connectionStringFile != null;
databaseUrl = if cfg.database.type == "sqlite"
then "sqlite://${cfg.dataDir}/${cfg.database.name}"
else if useConnectionStringFile
then "" # Will be set at runtime from file
else cfg.database.connectionString;
in
{
@@ -50,8 +56,26 @@ in
description = ''
PostgreSQL connection string (when using postgres backend).
Example: "postgres://user:password@localhost/nixos_options?sslmode=disable"
WARNING: This value will be stored in the Nix store, which is world-readable.
For production use with sensitive credentials, use connectionStringFile instead.
'';
};
connectionStringFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Path to a file containing the PostgreSQL connection string.
The file should contain just the connection string, e.g.:
postgres://user:password@localhost/nixos_options?sslmode=disable
This is the recommended way to configure PostgreSQL credentials
as the file is not stored in the world-readable Nix store.
The file must be readable by the service user.
'';
example = "/run/secrets/nixos-options-mcp-db";
};
};
indexOnStart = lib.mkOption {
@@ -78,8 +102,14 @@ in
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.database.type == "sqlite" || cfg.database.connectionString != "";
message = "services.nixos-options-mcp.database.connectionString must be set when using postgres backend";
assertion = cfg.database.type == "sqlite"
|| cfg.database.connectionString != ""
|| cfg.database.connectionStringFile != null;
message = "services.nixos-options-mcp.database: when using postgres backend, either connectionString or connectionStringFile must be set";
}
{
assertion = cfg.database.connectionString == "" || cfg.database.connectionStringFile == null;
message = "services.nixos-options-mcp.database: connectionString and connectionStringFile are mutually exclusive";
}
];
@@ -102,22 +132,39 @@ in
after = [ "network.target" ]
++ lib.optional (cfg.database.type == "postgres") "postgresql.service";
environment = {
environment = lib.mkIf (!useConnectionStringFile) {
NIXOS_OPTIONS_DATABASE = databaseUrl;
};
preStart = lib.mkIf (cfg.indexOnStart != [ ]) ''
${lib.concatMapStringsSep "\n" (rev: ''
echo "Indexing revision: ${rev}"
${cfg.package}/bin/nixos-options index "${rev}" || true
'') cfg.indexOnStart}
'';
path = [ cfg.package ];
script = let
indexCommands = lib.optionalString (cfg.indexOnStart != []) ''
${lib.concatMapStringsSep "\n" (rev: ''
echo "Indexing revision: ${rev}"
nixos-options index "${rev}" || true
'') cfg.indexOnStart}
'';
in
if useConnectionStringFile then ''
# Read database connection string from file
if [ ! -f "${cfg.database.connectionStringFile}" ]; then
echo "Error: connectionStringFile not found: ${cfg.database.connectionStringFile}" >&2
exit 1
fi
export NIXOS_OPTIONS_DATABASE="$(cat "${cfg.database.connectionStringFile}")"
${indexCommands}
exec nixos-options serve
'' else ''
${indexCommands}
exec nixos-options serve
'';
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/nixos-options serve";
Restart = "on-failure";
RestartSec = "5s";