nixos/nextcloud: put secrets into the environment of nextcloud-setup.service
The `$(</path/to/file)`-expansion appears verbatim in the cmdline of `nextcloud-occ` which means that an unprivileged user could find sensitive values (i.e. admin password & database password) by monitoring `/proc/<pid>/cmdline`. Now, these values don't appear in a command line anymore, but will be passed as environment variables to `nextcloud-occ`. (cherry picked from commit 9f37d6aee028679b8a94be59d74984e708acaa85)
This commit is contained in:
Maximilian Bosch
parent
e358eec704
commit
e33cbdc2de
@ -522,14 +522,21 @@ in {
|
|||||||
];
|
];
|
||||||
'';
|
'';
|
||||||
occInstallCmd = let
|
occInstallCmd = let
|
||||||
dbpass = if c.dbpassFile != null
|
mkExport = { arg, value }: "export ${arg}=${value}";
|
||||||
then ''"$(<"${toString c.dbpassFile}")"''
|
dbpass = {
|
||||||
else if c.dbpass != null
|
arg = "DBPASS";
|
||||||
then ''"${toString c.dbpass}"''
|
value = if c.dbpassFile != null
|
||||||
else ''""'';
|
then ''"$(<"${toString c.dbpassFile}")"''
|
||||||
adminpass = if c.adminpassFile != null
|
else if c.dbpass != null
|
||||||
then ''"$(<"${toString c.adminpassFile}")"''
|
then ''"${toString c.dbpass}"''
|
||||||
else ''"${toString c.adminpass}"'';
|
else ''""'';
|
||||||
|
};
|
||||||
|
adminpass = {
|
||||||
|
arg = "ADMINPASS";
|
||||||
|
value = if c.adminpassFile != null
|
||||||
|
then ''"$(<"${toString c.adminpassFile}")"''
|
||||||
|
else ''"${toString c.adminpass}"'';
|
||||||
|
};
|
||||||
installFlags = concatStringsSep " \\\n "
|
installFlags = concatStringsSep " \\\n "
|
||||||
(mapAttrsToList (k: v: "${k} ${toString v}") {
|
(mapAttrsToList (k: v: "${k} ${toString v}") {
|
||||||
"--database" = ''"${c.dbtype}"'';
|
"--database" = ''"${c.dbtype}"'';
|
||||||
@ -540,12 +547,14 @@ in {
|
|||||||
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
|
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
|
||||||
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
|
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
|
||||||
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
|
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
|
||||||
"--database-pass" = dbpass;
|
"--database-pass" = "\$${dbpass.arg}";
|
||||||
"--admin-user" = ''"${c.adminuser}"'';
|
"--admin-user" = ''"${c.adminuser}"'';
|
||||||
"--admin-pass" = adminpass;
|
"--admin-pass" = "\$${adminpass.arg}";
|
||||||
"--data-dir" = ''"${cfg.home}/data"'';
|
"--data-dir" = ''"${cfg.home}/data"'';
|
||||||
});
|
});
|
||||||
in ''
|
in ''
|
||||||
|
${mkExport dbpass}
|
||||||
|
${mkExport adminpass}
|
||||||
${occ}/bin/nextcloud-occ maintenance:install \
|
${occ}/bin/nextcloud-occ maintenance:install \
|
||||||
${installFlags}
|
${installFlags}
|
||||||
'';
|
'';
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user