nixos/keycloak: Set the postgresql database password securely

Feeding `psql` the password on the command line leaks it through the `psql` process' `/proc/<pid>/cmdline` file. Using `echo` to put the command in a file and then feeding `psql` the file should work around this, since `echo` is a bash builtin and thus shouldn't spawn a new process.
2021-05-04 16:57:11 +02:00 · 2021-05-04 16:57:11 +02:00 · d6727d28e1
parent d3ad6d42ca
commit d6727d28e1
1 changed files with 5 additions and 2 deletions
--- a/nixos/modules/services/web-apps/keycloak.nix
+++ b/nixos/modules/services/web-apps/keycloak.nix
@ -592,8 +592,11 @@ in

            PSQL=${config.services.postgresql.package}/bin/psql

-            db_password="$(<'${cfg.databasePasswordFile}')"
-            $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tAc "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB"
+            create_role="$(mktemp)"
+            trap 'rm -f "$create_role"' ERR EXIT
+
+            echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.databasePasswordFile}')' CREATEDB" > "$create_role"
+            $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tA --file="$create_role"
            $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"'
          '';
        };