fix: address PR #15 review feedback — secrets handling, broken links, optional logDirectory#17
Conversation
…ks, optional logDirectory Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses outstanding review feedback from PR #15 by tightening secret-handling guidance, fixing broken documentation links, and aligning documentation snippets with the module’s actual logDirectory = null default behavior.
Changes:
- Updated
accessKeyFile/secretKeyFileoption descriptions to reflect systemdLoadCredentialbehavior (systemd/root reads the source files). - Updated the example flake to avoid demonstrating secrets written into
/nix/store, switching to/run/secrets/*paths with guidance for local testing vs production. - Fixed relative links and updated documentation snippets to make
logDirectoryconditional where it is nullable.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| nixos/rustfs.nix | Clarifies secret file readability expectations based on LoadCredential. |
| examples/flake.nix | Removes insecure environment.etc.<name>.text secret pattern; documents /run/secrets usage. |
| docs/SECURITY.md | Fixes a broken link and updates tmpfiles example to make logDirectory conditional. |
| docs/MIGRATION.md | Fixes a broken link to the example configuration. |
| docs/IMPROVEMENTS.md | Updates ReadWritePaths snippet to avoid including a potentially-null logDirectory. |
| CHANGELOG.md | Rewords prior “BREAKING” entries around secret options and renames. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CHANGELOG.md
Outdated
| - **Deprecated**: `services.rustfs.accessKey` option replaced by `accessKeyFile` (the old name is a backward-compat alias via `mkRenamedOptionModule`) | ||
| - **Deprecated**: `services.rustfs.secretKey` option replaced by `secretKeyFile` (the old name is a backward-compat alias via `mkRenamedOptionModule`) | ||
| - `accessKeyFile` is now the canonical option (file path, not a plain string) | ||
| - `secretKeyFile` is now the canonical option (file path, not a plain string) |
There was a problem hiding this comment.
The changelog entry implies services.rustfs.accessKey/secretKey are fully backward-compatible aliases. In the module, mkRenamedOptionModule only renames the option; it does not preserve the old plain-text secret semantics, and accessKeyFile/secretKeyFile have no defaults (so enabling the service still requires setting valid file paths). Consider rewording these bullets to explicitly state that the old names map to the file path options and that file-based secrets are required when services.rustfs.enable = true.
There was a problem hiding this comment.
Updated in commit 5b0d3a0. The changelog bullets now explicitly state that the old names map to the file path options, that plain-text secret strings are no longer accepted, and that a valid file path is required whenever services.rustfs.enable = true.
…equired file path Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Path to a file containing the access key for client authentication. | ||
| Use a runtime path (e.g. /run/secrets/…) to prevent the secret from being copied into the Nix store. | ||
| The file should be readable by the rustfs service user and contain only the access key without any trailing whitespace. | ||
| The file must be readable by root/systemd (not by the rustfs service user directly); systemd reads it | ||
| via LoadCredential and exposes a copy in the service's credential directory ($CREDENTIALS_DIRECTORY). | ||
| For security best practices, use secret management tools like sops-nix, agenix, or NixOps keys. |
There was a problem hiding this comment.
The updated option description says secrets are read by root/systemd via LoadCredential and not by the rustfs user directly. This is accurate for the module, but other repo docs still describe the old behavior (e.g. README says the secret files should be readable by the rustfs service user and that deprecated accessKey/secretKey options were removed). Consider updating those docs to match this new LoadCredential-based flow to avoid confusing users about file ownership/permissions and deprecation status.
examples/flake.nix
Outdated
| # real credentials like this in production): | ||
| # system.activationScripts.rustfs-secrets = '' | ||
| # install -d -m 700 /run/secrets | ||
| # echo -n "my-access-key" > /run/secrets/rustfs-access-key | ||
| # echo -n "my-secret-key" > /run/secrets/rustfs-secret-key |
There was a problem hiding this comment.
The commented activation script example still hardcodes credential values inside the Nix configuration. If a user copies/uncomments it, those secrets will be embedded in the system derivation and end up in the Nix store, which contradicts the goal of keeping secrets out of the store. Consider changing the example to use placeholders and/or show fetching the secret from an external runtime source (or point directly to sops-nix/agenix usage) without ever putting the secret bytes in the Nix expression.
| # real credentials like this in production): | |
| # system.activationScripts.rustfs-secrets = '' | |
| # install -d -m 700 /run/secrets | |
| # echo -n "my-access-key" > /run/secrets/rustfs-access-key | |
| # echo -n "my-secret-key" > /run/secrets/rustfs-secret-key | |
| # real credentials like this in Nix – fetch them from an external runtime source): | |
| # system.activationScripts.rustfs-secrets = '' | |
| # install -d -m 700 /run/secrets | |
| # # Example: populate secrets from environment variables or a secrets backend. | |
| # # The actual secret bytes must NOT appear in this Nix file. | |
| # # Using environment variables (set outside Nix) for local testing: | |
| # # test -n "$RUSTFS_ACCESS_KEY" && printf '%s' "$RUSTFS_ACCESS_KEY" > /run/secrets/rustfs-access-key | |
| # # test -n "$RUSTFS_SECRET_KEY" && printf '%s' "$RUSTFS_SECRET_KEY" > /run/secrets/rustfs-secret-key | |
| # # Or using a secrets manager CLI (example with aws Secrets Manager): | |
| # # aws secretsmanager get-secret-value --secret-id rustfs/access-key \ | |
| # # --query SecretString --output text > /run/secrets/rustfs-access-key | |
| # # aws secretsmanager get-secret-value --secret-id rustfs/secret-key \ | |
| # # --query SecretString --output text > /run/secrets/rustfs-secret-key |
…EADME with LoadCredential behavior Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
|
Addressed both review comments in commit
|
* feat: Issue #9 improvements and documentation reorganization - Remove manual binary stripping and binutils - Clarify sourceProvenance for pre-compiled binaries - Migrate to environment attribute set (nixpkgs best practice) - Replace shell script with %d placeholder - Default to systemd journal logging - Move detailed docs to docs/, remove duplicates - Update all documentation references * fix: combine duplicate allowedTCPPorts into single list in firewall example (#16) * Initial plan * fix: combine duplicate allowedTCPPorts into single list in firewall example Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * fix: address PR #15 review feedback — secrets handling, broken links, optional logDirectory (#17) * Initial plan * fix: address remaining review comments - secrets handling, broken links, optional logDirectory Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * fix: clarify CHANGELOG deprecated accessKey/secretKey semantics and required file path Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * fix: remove hardcoded secrets from activation script example; align README with LoadCredential behavior Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * add workflows config * fix: CI — nixpkgs-fmt formatting violations and mkRenamedOptionModule arity (#18) * Initial plan * fix: resolve CI errors — invalid checkout@v6 and mkRenamedOptionModule 3-arg call Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * fix: apply nixpkgs-fmt to all 3 failing files and restore checkout@v6 Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
accessKeyFile/secretKeyFiledescriptions to reflect LoadCredential usageexamples/flake.nixto not store secrets in Nix storedocs/SECURITY.mdanddocs/MIGRATION.mdlogDirectoryoptionalaccessKey/secretKeyentries: old names map to file path options, plain-text strings no longer accepted, file path required whenenable = trueaccessKeyFile/secretKeyFiledocs to reflect LoadCredential ownership (root/systemd, not service user) and correct deprecation wording✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.