From 1a1fc17957516956949f019292b994aebfda6779 Mon Sep 17 00:00:00 2001
From: "Nicolas B. Pierron" <nicolas.b.pierron@gmail.com>
Date: Fri, 12 Dec 2014 22:14:21 +0100
Subject: [PATCH] Firefox Sync Server: Create the private config file as
 non-world readable.

---
 .../networking/firefox/sync-server.nix        | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix
index 0d2306c6994..b357eac98b9 100644
--- a/nixos/modules/services/networking/firefox/sync-server.nix
+++ b/nixos/modules/services/networking/firefox/sync-server.nix
@@ -4,10 +4,9 @@ with lib;
 
 let
   cfg = config.services.firefox.syncserver;
-  syncServerSecretFile = "/etc/firefox/syncserver-secret.ini";
   syncServerIni = pkgs.writeText "syncserver.ini" ''
     [DEFAULT]
-    overrides = ${cfg.privateConfig} ${syncServerSecretFile}
+    overrides = ${cfg.privateConfig}
 
     [server:main]
     use = egg:Paste#http
@@ -100,12 +99,14 @@ in
       };
 
       privateConfig = mkOption {
-        type = types.separatedString " ";
-        default = "";
+        type = types.str;
+        default = "/etc/firefox/syncserver-secret.ini";
         description = ''
           If defined, this file would be used to set all fields which were omitted in the
           generated ini files used for configuring the syncserver.  This file is useful
-          for storing secrets, such as the syncserver.secret or the syncserver.sqluri
+          for storing secrets, such as the syncserver.secret or the syncserver.sqluri.
+
+          If this file does not exists, it would be created with a unique secret.
         '';
       };
     };
@@ -120,10 +121,11 @@ in
       path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ];
       environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages";
       preStart = ''
-        if ! test -e ${syncServerSecretFile}; then
-          mkdir -p $(dirname ${syncServerSecretFile})
-          echo  > ${syncServerSecretFile} '[syncserver]'
-          echo >> ${syncServerSecretFile} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
+        if ! test -e ${cfg.privateConfig}; then
+          umask u=rwx,g=x,o=x
+          mkdir -p $(dirname ${cfg.privateConfig})
+          echo  > ${cfg.privateConfig} '[syncserver]'
+          echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
         fi
       '';
       serviceConfig.ExecStart = "paster serve ${syncServerIni}";