nixos/keycloak: Use replace-secret to avoid leaking secrets

Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.

nixos/modules/services/web-apps/keycloak.nix

@@ -633,6 +633,9 @@ in
             after = databaseServices;
             bindsTo = databaseServices;
             wantedBy = [ "multi-user.target" ];
+            path = with pkgs; [
+              replace-secret
+            ];
             environment = {
               JBOSS_LOG_DIR = "/var/log/keycloak";
               JBOSS_BASE_DIR = "/run/keycloak";
@@ -653,8 +656,7 @@ in
                   install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
                   install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml
 
-                  db_password="$(</run/keycloak/secrets/db_password)"
+                  replace-secret '@db-password@' '/run/keycloak/secrets/db_password' /run/keycloak/configuration/standalone.xml
-                  ${pkgs.replace}/bin/replace-literal -fe '@db-password@' "$db_password" /run/keycloak/configuration/standalone.xml
 
                   export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
                   ${cfg.package}/bin/add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'