torjus/labmcp
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: add connectionStringFile option for PostgreSQL secrets

Browse Source 
The connectionString option stores credentials in the world-readable
Nix store. This adds connectionStringFile as an alternative that reads
the connection string from a file at runtime, compatible with secret
management tools like agenix or sops-nix.

Changes:
- Add database.connectionStringFile option (mutually exclusive with connectionString)
- Read connection string from file at service start when configured
- Add warning to connectionString documentation about Nix store visibility
- Update README with examples for both approaches

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-03 19:13:20 +01:00
parent f0adc9efbe
commit cc369e6385
2 changed files with 80 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@@ -181,7 +181,8 @@ A NixOS module is provided for running the MCP server as a systemd service.
| `package` | package | from flake | Package to use |
| `database.type` | enum | `"sqlite"` | `"sqlite"` or `"postgres"` |
| `database.name` | string | `"nixos-options.db"` | SQLite database filename |
| `database.connectionString` | string | `""` | PostgreSQL connection URL |
| `database.connectionString` | string | `""` | PostgreSQL connection URL (stored in Nix store) |
| `database.connectionStringFile` | path | `null` | Path to file with PostgreSQL connection URL (recommended for secrets) |
| `indexOnStart` | list of string | `[]` | Revisions to index on service start |
| `user` | string | `"nixos-options-mcp"` | User to run the service as |
| `group` | string | `"nixos-options-mcp"` | Group to run the service as |
@@ -189,6 +190,8 @@ A NixOS module is provided for running the MCP server as a systemd service.
### PostgreSQL Example
Using `connectionString` (stored in Nix store - suitable for testing or non-sensitive setups):
```nix
{
services.nixos-options-mcp = {
@@ -202,6 +205,25 @@ A NixOS module is provided for running the MCP server as a systemd service.
}
```
Using `connectionStringFile` (recommended for production with sensitive credentials):
```nix
{
services.nixos-options-mcp = {
enable = true;
database = {
type = "postgres";
# File contains: postgres://user:secret@localhost/nixos_options?sslmode=disable
connectionStringFile = "/run/secrets/nixos-options-db";
};
indexOnStart = [ "nixos-unstable" ];
};
# Example with agenix or sops-nix for secret management
# age.secrets.nixos-options-db.file = ./secrets/nixos-options-db.age;
}
```
## Development
```bash