nixos/coturn: refactor secret injection

The original implementation had a few issues:

* The secret was briefly leaked since it is part of the cmdline for
  `sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
  the `sed(1)` expression itself unless you apply messy escape hacks.

To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.
This commit is contained in:
Maximilian Bosch 2022-10-09 09:31:48 +02:00
parent d052fcf0ed
commit 4fd75277dd
No known key found for this signature in database
GPG key ID: 9A6EEA275CA5BE0A

View file

@ -335,9 +335,10 @@ in {
preStart = '' preStart = ''
cat ${configFile} > ${runConfig} cat ${configFile} > ${runConfig}
${optionalString (cfg.static-auth-secret-file != null) '' ${optionalString (cfg.static-auth-secret-file != null) ''
STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" ${pkgs.replace-secret}/bin/replace-secret \
sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ "#static-auth-secret#" \
-i ${runConfig} ${cfg.static-auth-secret-file} \
${runConfig}
'' } '' }
chmod 640 ${runConfig} chmod 640 ${runConfig}
''; '';