b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #156401 from TLATER/tlater/gitea-hide-secrets

Browse source 
nixos/gitea: Prevent secrets from being exposed at ExecStart time
This commit is contained in:
Michele Guerini Rocco 2022-04-15 10:26:12 +02:00 committed by GitHub
parent 7c610d3755 3a86b88ef1
commit 09f816e976
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
nixos/modules/services/misc/gitea.nix
View file

@ -499,6 +499,7 @@ in
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
internalToken = "${cfg.stateDir}/custom/conf/internal_token"; internalToken = "${cfg.stateDir}/custom/conf/internal_token";
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
in '' in ''
# copy custom configuration and generate a random secret key if needed # copy custom configuration and generate a random secret key if needed
${optionalString (cfg.useWizard == false) '' ${optionalString (cfg.useWizard == false) ''
@ -526,23 +527,17 @@ in
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken} ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
fi fi
SECRETKEY="$(head -n1 ${secretKey})" chmod u+w '${runConfig}'
DBPASS="$(head -n1 ${cfg.database.passwordFile})" ${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}'
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})" ${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}'
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})" ${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}'
INTERNALTOKEN="$(head -n1 ${internalToken})" ${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'
${if (cfg.mailerPasswordFile == null) then '' ${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}'
MAILERPASSWORD="#mailerpass#"
'' else '' ${lib.optionalString (cfg.mailerPasswordFile != null) ''
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)" ${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'
''} ''}
sed -e "s,#secretkey#,$SECRETKEY,g" \ chmod u-w '${runConfig}'
-e "s,#dbpass#,$DBPASS,g" \
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
-i ${runConfig}
} }
(umask 027; gitea_setup) (umask 027; gitea_setup)
''} ''}