nixos/discourse: Use replace-secret to avoid leaking secrets

Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
This commit is contained in:
talyz 2021-05-04 16:03:48 +02:00
parent 27f8f6956a
commit 38398fade1
No known key found for this signature in database
GPG key ID: 2DED2151F4671A2B

View file

@ -661,7 +661,7 @@ in
];
path = cfg.package.runtimeDeps ++ [
postgresqlPackage
pkgs.replace
pkgs.replace-secret
cfg.package.rake
];
environment = cfg.package.runtimeEnv // {
@ -688,10 +688,7 @@ in
mkSecretReplacement = file:
lib.optionalString (file != null) ''
(
password=$(<'${file}')
replace-literal -fe '${file}' "$password" /run/discourse/config/discourse.conf
)
replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf
'';
in ''
set -o errexit -o pipefail -o nounset -o errtrace
@ -713,11 +710,12 @@ in
cfg.siteSettings
"/run/discourse/config/nixos_site_settings.json"
}
install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
${mkSecretReplacement cfg.database.passwordFile}
${mkSecretReplacement cfg.mail.outgoing.passwordFile}
${mkSecretReplacement cfg.redis.passwordFile}
${mkSecretReplacement cfg.secretKeyBaseFile}
chmod 0400 /run/discourse/config/discourse.conf
)
discourse-rake db:migrate >>/var/log/discourse/db_migration.log