From 88b76d5ef9b3a294da831b3b938d5fed6ed13453 Mon Sep 17 00:00:00 2001 From: talyz Date: Tue, 4 May 2021 16:12:08 +0200 Subject: [PATCH] nixos/mpd: Use replace-secret to avoid leaking secrets Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc//cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead. --- nixos/modules/services/audio/mpd.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index eee6c5f423d..e33e860d883 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -233,14 +233,15 @@ in { { User = "${cfg.user}"; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf"; - ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' + ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ('' set -euo pipefail install -m 600 ${mpdConf} /run/mpd/mpd.conf - ${optionalString (cfg.credentials != []) - "${pkgs.replace}/bin/replace-literal -fe ${ - concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) - } /run/mpd/mpd.conf"} - ''; + '' + optionalString (cfg.credentials != []) + (concatStringsSep "\n" + (imap0 + (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'') + cfg.credentials)) + ); RuntimeDirectory = "mpd"; Type = "notify"; LimitRTPRIO = 50;