nixos/mpd: Use replace-secret to avoid leaking secrets

Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead.

1 files changed, 7 insertions, 6 deletions

diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix
index eee6c5f423d..e33e860d883 100644
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@@ -233,14 +233,15 @@ in {
         {
           User = "${cfg.user}";
           ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf";
-          ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ''
+          ExecStartPre = pkgs.writeShellScript "mpd-start-pre" (''
             set -euo pipefail
             install -m 600 ${mpdConf} /run/mpd/mpd.conf
-            ${optionalString (cfg.credentials != [])
-            "${pkgs.replace}/bin/replace-literal -fe ${
-              concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials)
-            } /run/mpd/mpd.conf"}
-          '';
+          '' + optionalString (cfg.credentials != [])
+            (concatStringsSep "\n"
+              (imap0
+                (i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'')
+                cfg.credentials))
+          );
           RuntimeDirectory = "mpd";
           Type = "notify";
           LimitRTPRIO = 50;