From 41a360ce2af69f1fbb7f9f53506794794c858f11 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 16 Jan 2025 15:21:34 +0100 Subject: core.configmanager: Add function for getting secrets from separate files Idea is to enable easily retrieving of secret values from files outside of the config, e.g. via the method used by systemd credentials. CREDENTIALS_DIRECTORY is expected to be set by the process manager invoking Prosody, so being unset and unavailable from prosodyctl is going to be normal and a warning is reported in that case. Care will have to be taken to make it clear that prosodyctl check will not work with such values. An error is thrown if the directory is unavailable when running under Prosody. --- core/configmanager.lua | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'core') diff --git a/core/configmanager.lua b/core/configmanager.lua index 37a01a84..922ff05f 100644 --- a/core/configmanager.lua +++ b/core/configmanager.lua @@ -198,6 +198,7 @@ do FileContents = true, FileLine = true, FileLines = true, + Secret = true, Include = true, include = true, RunScript = true }, { __index = function (_, k) if k:match("^ENV_") then @@ -359,6 +360,19 @@ do env.FileLine = filereader(config_path, "*l"); env.FileLines = linereader(config_path); + if _G.prosody.paths.secrets then + env.Secret = filereader(_G.prosody.paths.secrets, "*a"); + elseif _G.prosody.process_type == "prosody" then + env.Secret = function() error("Secret() requires the $CREDENTIALS_DIRECTORY environment variable to be set", 2) end + else + env.Secret = function() + t_insert(warnings, ("%s:%d: Secret() requires the $CREDENTIALS_DIRECTORY environment variable to be set") + :format(config_file, get_line_number(config_file))); + return nil; + end + + end + local chunk, err = envload(data, "@"..config_file, env); if not chunk then -- cgit v1.2.3