diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-06 17:34:48 +0200 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-06 18:18:18 +0200 |
commit | 9f37d6aee028679b8a94be59d74984e708acaa85 (patch) | |
tree | 7851c2d60189879c0ae32c356712afdb59696f2e /nixos/modules/services/web-apps/nextcloud.nix | |
parent | fb405269612ce6df5021e97d57dca9be3bfeed86 (diff) | |
download | nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.gz nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.bz2 nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.lz nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.xz nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.zst nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.zip |
nixos/nextcloud: put secrets into the environment of nextcloud-setup.service
The `$(</path/to/file)`-expansion appears verbatim in the cmdline of `nextcloud-occ` which means that an unprivileged user could find sensitive values (i.e. admin password & database password) by monitoring `/proc/<pid>/cmdline`. Now, these values don't appear in a command line anymore, but will be passed as environment variables to `nextcloud-occ`.
Diffstat (limited to 'nixos/modules/services/web-apps/nextcloud.nix')
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index cb755b99c91..b182f66a698 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -623,14 +623,21 @@ in { ]; ''; occInstallCmd = let - dbpass = if c.dbpassFile != null - then ''"$(<"${toString c.dbpassFile}")"'' - else if c.dbpass != null - then ''"${toString c.dbpass}"'' - else ''""''; - adminpass = if c.adminpassFile != null - then ''"$(<"${toString c.adminpassFile}")"'' - else ''"${toString c.adminpass}"''; + mkExport = { arg, value }: "export ${arg}=${value}"; + dbpass = { + arg = "DBPASS"; + value = if c.dbpassFile != null + then ''"$(<"${toString c.dbpassFile}")"'' + else if c.dbpass != null + then ''"${toString c.dbpass}"'' + else ''""''; + }; + adminpass = { + arg = "ADMINPASS"; + value = if c.adminpassFile != null + then ''"$(<"${toString c.adminpassFile}")"'' + else ''"${toString c.adminpass}"''; + }; installFlags = concatStringsSep " \\\n " (mapAttrsToList (k: v: "${k} ${toString v}") { "--database" = ''"${c.dbtype}"''; @@ -641,12 +648,14 @@ in { ${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"''; ${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"''; ${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"''; - "--database-pass" = dbpass; + "--database-pass" = "\$${dbpass.arg}"; "--admin-user" = ''"${c.adminuser}"''; - "--admin-pass" = adminpass; + "--admin-pass" = "\$${adminpass.arg}"; "--data-dir" = ''"${cfg.home}/data"''; }); in '' + ${mkExport dbpass} + ${mkExport adminpass} ${occ}/bin/nextcloud-occ maintenance:install \ ${installFlags} ''; |