nixos/coturn: refactor secret injection
The original implementation had a few issues: * The secret was briefly leaked since it is part of the cmdline for `sed(1)` and on Linux `cmdline` is world-readable. * If the secret would contain either a `,` or a `"` it would mess with the `sed(1)` expression itself unless you apply messy escape hacks. To circumvent all of that, I decided to use `replace-secret` which allows you to replace a string inside a file (in this case `#static-auth-secret#`) with the contents of a file, i.e. `cfg.static-auth-secret-file` without any of these issues.
This commit is contained in:
parent
d052fcf0ed
commit
4fd75277dd
1 changed files with 4 additions and 3 deletions
|
@ -335,9 +335,10 @@ in {
|
||||||
preStart = ''
|
preStart = ''
|
||||||
cat ${configFile} > ${runConfig}
|
cat ${configFile} > ${runConfig}
|
||||||
${optionalString (cfg.static-auth-secret-file != null) ''
|
${optionalString (cfg.static-auth-secret-file != null) ''
|
||||||
STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
|
${pkgs.replace-secret}/bin/replace-secret \
|
||||||
sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \
|
"#static-auth-secret#" \
|
||||||
-i ${runConfig}
|
${cfg.static-auth-secret-file} \
|
||||||
|
${runConfig}
|
||||||
'' }
|
'' }
|
||||||
chmod 640 ${runConfig}
|
chmod 640 ${runConfig}
|
||||||
'';
|
'';
|
||||||
|
|
Loading…
Reference in a new issue