nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions `0640`. With this change it's ensured that no sensitive information will be word-readable at any time. Related to #121293. Strictly speaking this is a breaking change since each new directory (including data-files) aren't world-readable anymore, but actually these shouldn't be, unless there's a good reason for it.
This commit is contained in:
Maximilian Bosch
parent
c8dff328e5
commit
02c3bd2187
@ -477,6 +477,7 @@ in
|
|||||||
in ''
|
in ''
|
||||||
# copy custom configuration and generate a random secret key if needed
|
# copy custom configuration and generate a random secret key if needed
|
||||||
${optionalString (cfg.useWizard == false) ''
|
${optionalString (cfg.useWizard == false) ''
|
||||||
|
function gitea_setup {
|
||||||
cp -f ${configFile} ${runConfig}
|
cp -f ${configFile} ${runConfig}
|
||||||
|
|
||||||
if [ ! -e ${secretKey} ]; then
|
if [ ! -e ${secretKey} ]; then
|
||||||
@ -517,7 +518,8 @@ in
|
|||||||
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||||||
-i ${runConfig}
|
-i ${runConfig}
|
||||||
chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
|
}
|
||||||
|
(umask 027; gitea_setup)
|
||||||
''}
|
''}
|
||||||
|
|
||||||
# update all hooks' binary paths
|
# update all hooks' binary paths
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user