From 7deb5247a5da4f468a0abe464275f6c913c5f33f Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sat, 6 Nov 2021 08:31:58 -0700 Subject: nixos/ddclient: fix privs when loading password --- nixos/modules/services/networking/ddclient.nix | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'nixos/modules/services/networking/ddclient.nix') diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 833b0cbcdcf..5fb8d79fe56 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -28,6 +28,16 @@ let ''; configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; + preStart = '' + install ${configFile} /run/${RuntimeDirectory}/ddclient.conf + ${lib.optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then '' + password=$(head -n 1 ${cfg.passwordFile}) + sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf + '' else '' + sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf + '')} + ''; + in with lib; @@ -195,20 +205,13 @@ with lib; serviceConfig = { DynamicUser = true; + RuntimeDirectoryMode = "0700"; inherit RuntimeDirectory; inherit StateDirectory; Type = "oneshot"; + ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}"; ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf"; }; - preStart = '' - install -m 600 ${configFile} /run/${RuntimeDirectory}/ddclient.conf - ${optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then '' - password=$(head -n 1 ${cfg.passwordFile}) - sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf - '' else '' - sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf - '')} - ''; }; systemd.timers.ddclient = { -- cgit 1.4.1