Merge pull request #156401 from TLATER/tlater/gitea-hide-secrets
nixos/gitea: Prevent secrets from being exposed at ExecStart time
This commit is contained in:
commit
09f816e976
|
@ -499,6 +499,7 @@ in
|
||||||
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
||||||
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
||||||
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
||||||
|
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
||||||
in ''
|
in ''
|
||||||
# copy custom configuration and generate a random secret key if needed
|
# copy custom configuration and generate a random secret key if needed
|
||||||
${optionalString (cfg.useWizard == false) ''
|
${optionalString (cfg.useWizard == false) ''
|
||||||
|
@ -526,23 +527,17 @@ in
|
||||||
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SECRETKEY="$(head -n1 ${secretKey})"
|
chmod u+w '${runConfig}'
|
||||||
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}'
|
||||||
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}'
|
||||||
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}'
|
||||||
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'
|
||||||
${if (cfg.mailerPasswordFile == null) then ''
|
${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}'
|
||||||
MAILERPASSWORD="#mailerpass#"
|
|
||||||
'' else ''
|
${lib.optionalString (cfg.mailerPasswordFile != null) ''
|
||||||
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'
|
||||||
''}
|
''}
|
||||||
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
chmod u-w '${runConfig}'
|
||||||
-e "s,#dbpass#,$DBPASS,g" \
|
|
||||||
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
|
||||||
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
|
||||||
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
|
||||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
|
||||||
-i ${runConfig}
|
|
||||||
}
|
}
|
||||||
(umask 027; gitea_setup)
|
(umask 027; gitea_setup)
|
||||||
''}
|
''}
|
||||||
|
|
Loading…
Reference in a new issue