diff options
author | talyz <kim.lindberger@gmail.com> | 2021-05-04 16:12:08 +0200 |
---|---|---|
committer | talyz <kim.lindberger@gmail.com> | 2021-05-19 09:32:22 +0200 |
commit | 88b76d5ef9b3a294da831b3b938d5fed6ed13453 (patch) | |
tree | 93c62235882295b29fa43b1d96c37ce073bd6188 /nixos/modules/services/audio/mpd.nix | |
parent | 3a29b7bf5ba7caaaeb4c9c6bb145b0c635b03996 (diff) | |
download | nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.tar nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.tar.gz nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.tar.bz2 nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.tar.lz nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.tar.xz nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.tar.zst nixpkgs-88b76d5ef9b3a294da831b3b938d5fed6ed13453.zip |
nixos/mpd: Use replace-secret to avoid leaking secrets
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead.
Diffstat (limited to 'nixos/modules/services/audio/mpd.nix')
-rw-r--r-- | nixos/modules/services/audio/mpd.nix | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index eee6c5f423d..e33e860d883 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -233,14 +233,15 @@ in { { User = "${cfg.user}"; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf"; - ExecStartPre = pkgs.writeShellScript "mpd-start-pre" '' + ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ('' set -euo pipefail install -m 600 ${mpdConf} /run/mpd/mpd.conf - ${optionalString (cfg.credentials != []) - "${pkgs.replace}/bin/replace-literal -fe ${ - concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials) - } /run/mpd/mpd.conf"} - ''; + '' + optionalString (cfg.credentials != []) + (concatStringsSep "\n" + (imap0 + (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'') + cfg.credentials)) + ); RuntimeDirectory = "mpd"; Type = "notify"; LimitRTPRIO = 50; |