nixos/searx: set settings.yml permissions using umask

This should solve a leakage of secrets as suggested in #121293
This commit is contained in:
rnhmjoj 2021-05-02 15:47:13 +02:00
parent aacbc7385c
commit 9ea6c1979c
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450
1 changed files with 8 additions and 6 deletions

View File

@ -4,23 +4,25 @@ with lib;
let let
runDir = "/run/searx"; runDir = "/run/searx";
cfg = config.services.searx; cfg = config.services.searx;
settingsFile = pkgs.writeText "settings.yml"
(builtins.toJSON cfg.settings);
generateConfig = '' generateConfig = ''
cd ${runDir} cd ${runDir}
# write NixOS settings as JSON # write NixOS settings as JSON
cat <<'EOF' > settings.yml (
${builtins.toJSON cfg.settings} umask 077
EOF cp --no-preserve=mode ${settingsFile} settings.yml
)
# substitute environment variables # substitute environment variables
env -0 | while IFS='=' read -r -d ''' n v; do env -0 | while IFS='=' read -r -d ''' n v; do
sed "s#@$n@#$v#g" -i settings.yml sed "s#@$n@#$v#g" -i settings.yml
done done
# set strict permissions
chmod 400 settings.yml
''; '';
settingType = with types; (oneOf settingType = with types; (oneOf