nixos/gitea: set umask for secret creation

This ensures that newly created secrets will have the permissions `0640`. With this change it's ensured that no sensitive information will be word-readable at any time. Related to #121293. Strictly speaking this is a breaking change since each new directory (including data-files) aren't world-readable anymore, but actually these shouldn't be, unless there's a good reason for it.
2021-04-30 19:47:38 +02:00 · 2021-04-30 19:47:38 +02:00 · 02c3bd2187
commit 02c3bd2187
parent c8dff328e5
1 changed files with 37 additions and 35 deletions
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@ -477,6 +477,7 @@ in
      in ''
        # copy custom configuration and generate a random secret key if needed
        ${optionalString (cfg.useWizard == false) ''
+          function gitea_setup {
            cp -f ${configFile} ${runConfig}

            if [ ! -e ${secretKey} ]; then
@ -517,7 +518,8 @@ in
                -e "s,#internaltoken#,$INTERNALTOKEN,g" \
                -e "s,#mailerpass#,$MAILERPASSWORD,g" \
                -i ${runConfig}
-          chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
+          }
+          (umask 027; gitea_setup)
        ''}

        # update all hooks' binary paths