nixos/discourse: Use replace-secret to avoid leaking secrets

Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit.
2021-05-04 16:03:48 +02:00 · 2021-05-04 16:03:48 +02:00 · 38398fade1
commit 38398fade1
parent 27f8f6956a
1 changed files with 4 additions and 6 deletions
--- a/nixos/modules/services/web-apps/discourse.nix
+++ b/nixos/modules/services/web-apps/discourse.nix
@ -661,7 +661,7 @@ in
      ];
      path = cfg.package.runtimeDeps ++ [
        postgresqlPackage
-        pkgs.replace
+        pkgs.replace-secret
        cfg.package.rake
      ];
      environment = cfg.package.runtimeEnv // {
@ -688,10 +688,7 @@ in
          mkSecretReplacement = file:
            lib.optionalString (file != null) ''
-              (
+              replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf
                  password=$(<'${file}')
                  replace-literal -fe '${file}' "$password" /run/discourse/config/discourse.conf
              )
            '';
        in ''
          set -o errexit -o pipefail -o nounset -o errtrace
@ -713,11 +710,12 @@ in
                  cfg.siteSettings
                  "/run/discourse/config/nixos_site_settings.json"
              }
-              install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
+              install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
              ${mkSecretReplacement cfg.database.passwordFile}
              ${mkSecretReplacement cfg.mail.outgoing.passwordFile}
              ${mkSecretReplacement cfg.redis.passwordFile}
              ${mkSecretReplacement cfg.secretKeyBaseFile}
              chmod 0400 /run/discourse/config/discourse.conf
          )
          discourse-rake db:migrate >>/var/log/discourse/db_migration.log