nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-27 17:33:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/mpd: Use replace-secret to avoid leaking secrets

Browse Source 
Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead.
This commit is contained in:
talyz 2021-05-04 16:12:08 +02:00
parent 3a29b7bf5b
commit 88b76d5ef9
No known key found for this signature in database
GPG Key ID: 2DED2151F4671A2B
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
nixos/modules/services/audio/mpd.nix
View File

@ -233,14 +233,15 @@ in {
{
User = "${cfg.user}";
ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf";
ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ''
ExecStartPre = pkgs.writeShellScript "mpd-start-pre" (''
set -euo pipefail
install -m 600 ${mpdConf} /run/mpd/mpd.conf
${optionalString (cfg.credentials != [])
"${pkgs.replace}/bin/replace-literal -fe ${
concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials)
} /run/mpd/mpd.conf"}
'';
'' + optionalString (cfg.credentials != [])
(concatStringsSep "\n"
(imap0
(i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'')
cfg.credentials))
);
RuntimeDirectory = "mpd";
Type = "notify";
LimitRTPRIO = 50;