diff options
Diffstat (limited to 'pkgs/build-support/replace-secret/replace-secret.nix')
-rw-r--r-- | pkgs/build-support/replace-secret/replace-secret.nix | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/pkgs/build-support/replace-secret/replace-secret.nix b/pkgs/build-support/replace-secret/replace-secret.nix new file mode 100644 index 00000000000..e04d1aed5f7 --- /dev/null +++ b/pkgs/build-support/replace-secret/replace-secret.nix @@ -0,0 +1,35 @@ +{ stdenv, lib, python3 }: + +stdenv.mkDerivation { + name = "replace-secret"; + buildInputs = [ python3 ]; + phases = [ "installPhase" "checkPhase" ]; + installPhase = '' + install -D ${./replace-secret.py} $out/bin/replace-secret + patchShebangs $out + ''; + doCheck = true; + checkPhase = '' + install -m 0600 ${./test/input_file} long_test + $out/bin/replace-secret "replace this" ${./test/passwd} long_test + $out/bin/replace-secret "and this" ${./test/rsa} long_test + diff ${./test/expected_long_output} long_test + + install -m 0600 ${./test/input_file} short_test + $out/bin/replace-secret "replace this" <(echo "a") short_test + $out/bin/replace-secret "and this" <(echo "b") short_test + diff ${./test/expected_short_output} short_test + ''; + meta = with lib; { + platforms = platforms.all; + maintainers = with maintainers; [ talyz ]; + license = licenses.mit; + description = "Replace a string in one file with a secret from a second file"; + longDescription = '' + Replace a string in one file with a secret from a second file. + + Since the secret is read from a file, it won't be leaked through + '/proc/<pid>/cmdline', unlike when 'sed' or 'replace' is used. + ''; + }; +} |