summary refs log tree commit diff
path: root/nixos/modules/services/web-apps/nextcloud.nix
diff options
context:
space:
mode:
authorMaximilian Bosch <maximilian@mbosch.me>2021-10-06 17:34:48 +0200
committerMaximilian Bosch <maximilian@mbosch.me>2021-10-06 18:18:18 +0200
commit9f37d6aee028679b8a94be59d74984e708acaa85 (patch)
tree7851c2d60189879c0ae32c356712afdb59696f2e /nixos/modules/services/web-apps/nextcloud.nix
parentfb405269612ce6df5021e97d57dca9be3bfeed86 (diff)
downloadnixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar
nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.gz
nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.bz2
nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.lz
nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.xz
nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.tar.zst
nixpkgs-9f37d6aee028679b8a94be59d74984e708acaa85.zip
nixos/nextcloud: put secrets into the environment of nextcloud-setup.service
The `$(</path/to/file)`-expansion appears verbatim in the cmdline of
`nextcloud-occ` which means that an unprivileged user could find
sensitive values (i.e. admin password & database password) by monitoring
`/proc/<pid>/cmdline`.

Now, these values don't appear in a command line anymore, but will be
passed as environment variables to `nextcloud-occ`.
Diffstat (limited to 'nixos/modules/services/web-apps/nextcloud.nix')
-rw-r--r--nixos/modules/services/web-apps/nextcloud.nix29
1 files changed, 19 insertions, 10 deletions
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
index cb755b99c91..b182f66a698 100644
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -623,14 +623,21 @@ in {
             ];
           '';
           occInstallCmd = let
-            dbpass = if c.dbpassFile != null
-              then ''"$(<"${toString c.dbpassFile}")"''
-              else if c.dbpass != null
-              then ''"${toString c.dbpass}"''
-              else ''""'';
-            adminpass = if c.adminpassFile != null
-              then ''"$(<"${toString c.adminpassFile}")"''
-              else ''"${toString c.adminpass}"'';
+            mkExport = { arg, value }: "export ${arg}=${value}";
+            dbpass = {
+              arg = "DBPASS";
+              value = if c.dbpassFile != null
+                then ''"$(<"${toString c.dbpassFile}")"''
+                else if c.dbpass != null
+                then ''"${toString c.dbpass}"''
+                else ''""'';
+            };
+            adminpass = {
+              arg = "ADMINPASS";
+              value = if c.adminpassFile != null
+                then ''"$(<"${toString c.adminpassFile}")"''
+                else ''"${toString c.adminpass}"'';
+            };
             installFlags = concatStringsSep " \\\n    "
               (mapAttrsToList (k: v: "${k} ${toString v}") {
               "--database" = ''"${c.dbtype}"'';
@@ -641,12 +648,14 @@ in {
               ${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
               ${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
               ${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
-              "--database-pass" = dbpass;
+              "--database-pass" = "\$${dbpass.arg}";
               "--admin-user" = ''"${c.adminuser}"'';
-              "--admin-pass" = adminpass;
+              "--admin-pass" = "\$${adminpass.arg}";
               "--data-dir" = ''"${cfg.home}/data"'';
             });
           in ''
+            ${mkExport dbpass}
+            ${mkExport adminpass}
             ${occ}/bin/nextcloud-occ maintenance:install \
                 ${installFlags}
           '';
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-13 16:03:56 +0000