Merge pull request #121299 from Ma27/gitea-umask

nixos/gitea: set umask for secret creation
2021-05-02 00:06:20 +02:00 · 2021-05-02 00:06:20 +02:00 · 040f0acccd
parent 14ed5fe3a0 02c3bd2187
commit 040f0acccd
1 changed files with 37 additions and 35 deletions
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@ -477,47 +477,49 @@ in
      in ''
        # copy custom configuration and generate a random secret key if needed
        ${optionalString (cfg.useWizard == false) ''
-          cp -f ${configFile} ${runConfig}
+          function gitea_setup {
+            cp -f ${configFile} ${runConfig}

-          if [ ! -e ${secretKey} ]; then
-              ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
-          fi
+            if [ ! -e ${secretKey} ]; then
+                ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
+            fi

-          # Migrate LFS_JWT_SECRET filename
-          if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
-              mv ${oldLfsJwtSecret} ${lfsJwtSecret}
-          fi
+            # Migrate LFS_JWT_SECRET filename
+            if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
+                mv ${oldLfsJwtSecret} ${lfsJwtSecret}
+            fi

-          if [ ! -e ${oauth2JwtSecret} ]; then
-              ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
-          fi
+            if [ ! -e ${oauth2JwtSecret} ]; then
+                ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
+            fi

-          if [ ! -e ${lfsJwtSecret} ]; then
-              ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
-          fi
+            if [ ! -e ${lfsJwtSecret} ]; then
+                ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
+            fi

-          if [ ! -e ${internalToken} ]; then
-              ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
-          fi
+            if [ ! -e ${internalToken} ]; then
+                ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
+            fi

-          SECRETKEY="$(head -n1 ${secretKey})"
-          DBPASS="$(head -n1 ${cfg.database.passwordFile})"
-          OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
-          LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
-          INTERNALTOKEN="$(head -n1 ${internalToken})"
-          ${if (cfg.mailerPasswordFile == null) then ''
-            MAILERPASSWORD="#mailerpass#"
-          '' else ''
-            MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
-          ''}
-          sed -e "s,#secretkey#,$SECRETKEY,g" \
-              -e "s,#dbpass#,$DBPASS,g" \
-              -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
-              -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
-              -e "s,#internaltoken#,$INTERNALTOKEN,g" \
-              -e "s,#mailerpass#,$MAILERPASSWORD,g" \
-              -i ${runConfig}
-          chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
+            SECRETKEY="$(head -n1 ${secretKey})"
+            DBPASS="$(head -n1 ${cfg.database.passwordFile})"
+            OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
+            LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
+            INTERNALTOKEN="$(head -n1 ${internalToken})"
+            ${if (cfg.mailerPasswordFile == null) then ''
+              MAILERPASSWORD="#mailerpass#"
+            '' else ''
+              MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
+            ''}
+            sed -e "s,#secretkey#,$SECRETKEY,g" \
+                -e "s,#dbpass#,$DBPASS,g" \
+                -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
+                -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
+                -e "s,#internaltoken#,$INTERNALTOKEN,g" \
+                -e "s,#mailerpass#,$MAILERPASSWORD,g" \
+                -i ${runConfig}
+          }
+          (umask 027; gitea_setup)
        ''}

        # update all hooks' binary paths