Merge pull request #156401 from TLATER/tlater/gitea-hide-secrets
nixos/gitea: Prevent secrets from being exposed at ExecStart time
This commit is contained in:
commit
09f816e976
|
@ -499,6 +499,7 @@ in
|
|||
oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
|
||||
lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
|
||||
internalToken = "${cfg.stateDir}/custom/conf/internal_token";
|
||||
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
||||
in ''
|
||||
# copy custom configuration and generate a random secret key if needed
|
||||
${optionalString (cfg.useWizard == false) ''
|
||||
|
@ -526,23 +527,17 @@ in
|
|||
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||||
fi
|
||||
|
||||
SECRETKEY="$(head -n1 ${secretKey})"
|
||||
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
||||
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
||||
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
||||
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
||||
${if (cfg.mailerPasswordFile == null) then ''
|
||||
MAILERPASSWORD="#mailerpass#"
|
||||
'' else ''
|
||||
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
||||
chmod u+w '${runConfig}'
|
||||
${replaceSecretBin} '#secretkey#' '${secretKey}' '${runConfig}'
|
||||
${replaceSecretBin} '#dbpass#' '${cfg.database.passwordFile}' '${runConfig}'
|
||||
${replaceSecretBin} '#oauth2jwtsecret#' '${oauth2JwtSecret}' '${runConfig}'
|
||||
${replaceSecretBin} '#lfsjwtsecret#' '${lfsJwtSecret}' '${runConfig}'
|
||||
${replaceSecretBin} '#internaltoken#' '${internalToken}' '${runConfig}'
|
||||
|
||||
${lib.optionalString (cfg.mailerPasswordFile != null) ''
|
||||
${replaceSecretBin} '#mailerpass#' '${cfg.mailerPasswordFile}' '${runConfig}'
|
||||
''}
|
||||
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
||||
-e "s,#dbpass#,$DBPASS,g" \
|
||||
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
||||
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
||||
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||||
-i ${runConfig}
|
||||
chmod u-w '${runConfig}'
|
||||
}
|
||||
(umask 027; gitea_setup)
|
||||
''}
|
||||
|
|
Loading…
Reference in a new issue