From 38398fade1298090c192651d7b1fdde262bc336e Mon Sep 17 00:00:00 2001 From: talyz Date: Tue, 4 May 2021 16:03:48 +0200 Subject: [PATCH] nixos/discourse: Use replace-secret to avoid leaking secrets Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc//cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit. --- nixos/modules/services/web-apps/discourse.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 00b58d50257..0e2e182ffe9 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -661,7 +661,7 @@ in ]; path = cfg.package.runtimeDeps ++ [ postgresqlPackage - pkgs.replace + pkgs.replace-secret cfg.package.rake ]; environment = cfg.package.runtimeEnv // { @@ -688,10 +688,7 @@ in mkSecretReplacement = file: lib.optionalString (file != null) '' - ( - password=$(<'${file}') - replace-literal -fe '${file}' "$password" /run/discourse/config/discourse.conf - ) + replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf ''; in '' set -o errexit -o pipefail -o nounset -o errtrace @@ -713,11 +710,12 @@ in cfg.siteSettings "/run/discourse/config/nixos_site_settings.json" } - install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf + install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf ${mkSecretReplacement cfg.database.passwordFile} ${mkSecretReplacement cfg.mail.outgoing.passwordFile} ${mkSecretReplacement cfg.redis.passwordFile} ${mkSecretReplacement cfg.secretKeyBaseFile} + chmod 0400 /run/discourse/config/discourse.conf ) discourse-rake db:migrate >>/var/log/discourse/db_migration.log