diff options
| author | Maximilian Bosch <maximilian@mbosch.me> | 2022-07-20 20:21:16 +0200 |
|---|---|---|
| committer | Maximilian Bosch <maximilian@mbosch.me> | 2022-07-20 20:29:38 +0200 |
| commit | 92bd77e85e024c4a58e00cb9f6ff1e6e501ddf02 (patch) | |
| tree | bd03009c5de789c111f8904cbd10bfa0864b43b8 /nixos/modules/services/monitoring | |
| parent | 590e60d124fb93934d03e8c740ca738657cc1816 (diff) | |
nixos/prometheus-mail-exporter: umask to avoid accidental world-readability
Diffstat (limited to 'nixos/modules/services/monitoring')
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/mail.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index c0b8b3570c074..a60f47f63932a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -174,7 +174,10 @@ in EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; RuntimeDirectory = "prometheus-mail-exporter"; ExecStartPre = [ - "${pkgs.envsubst}/bin/envsubst -i ${configFile} -o \${RUNTIME_DIRECTORY}/mail-exporter.json" + "${pkgs.writeShellScript "subst-secrets-mail-exporter" '' + umask 0077 + ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/mail-exporter.json + ''}" ]; ExecStart = '' ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ |