diff options
author | talyz <kim.lindberger@gmail.com> | 2021-05-04 16:57:11 +0200 |
---|---|---|
committer | talyz <kim.lindberger@gmail.com> | 2021-05-21 13:08:53 +0200 |
commit | d6727d28e1c11887c8dad6860c0c204a21054d57 (patch) | |
tree | 14dfb5e4a7a22d487e7f3eea7a76779141627941 /nixos | |
parent | d3ad6d42cad6660dae4364ad0436c60da6a5c5aa (diff) | |
download | nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.tar nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.tar.gz nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.tar.bz2 nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.tar.lz nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.tar.xz nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.tar.zst nixpkgs-d6727d28e1c11887c8dad6860c0c204a21054d57.zip |
nixos/keycloak: Set the postgresql database password securely
Feeding `psql` the password on the command line leaks it through the `psql` process' `/proc/<pid>/cmdline` file. Using `echo` to put the command in a file and then feeding `psql` the file should work around this, since `echo` is a bash builtin and thus shouldn't spawn a new process.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-apps/keycloak.nix | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index e2e6df41dfa..073f793b4ed 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -592,8 +592,11 @@ in PSQL=${config.services.postgresql.package}/bin/psql - db_password="$(<'${cfg.databasePasswordFile}')" - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tAc "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" + create_role="$(mktemp)" + trap 'rm -f "$create_role"' ERR EXIT + + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.databasePasswordFile}')' CREATEDB" > "$create_role" + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tA --file="$create_role" $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' ''; }; |