nixos/coturn: refactor secret injection

The original implementation had a few issues: * The secret was briefly leaked since it is part of the cmdline for `sed(1)` and on Linux `cmdline` is world-readable. * If the secret would contain either a `,` or a `"` it would mess with the `sed(1)` expression itself unless you apply messy escape hacks. To circumvent all of that, I decided to use `replace-secret` which allows you to replace a string inside a file (in this case `#static-auth-secret#`) with the contents of a file, i.e. `cfg.static-auth-secret-file` without any of these issues.
2022-10-09 09:31:48 +02:00 · 2022-10-09 09:31:48 +02:00 · 4fd75277dd
commit 4fd75277dd
parent d052fcf0ed
1 changed files with 4 additions and 3 deletions
--- a/nixos/modules/services/networking/coturn.nix
+++ b/nixos/modules/services/networking/coturn.nix
@ -335,9 +335,10 @@ in {
        preStart = ''
          cat ${configFile} > ${runConfig}
          ${optionalString (cfg.static-auth-secret-file != null) ''
-            STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
-            sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \
-              -i ${runConfig}
+            ${pkgs.replace-secret}/bin/replace-secret \
+              "#static-auth-secret#" \
+              ${cfg.static-auth-secret-file} \
+              ${runConfig}
          '' }
          chmod 640 ${runConfig}
        '';