diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2022-10-09 09:31:48 +0200 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2022-10-09 09:31:48 +0200 |
commit | 4fd75277dd383abfa0d8719306b1fbe18c024366 (patch) | |
tree | 553922ffb4d3079c806ea63e66bd0f8ceea83066 /nixos/modules/services/networking | |
parent | d052fcf0eda1c13715d6eec87b017c14d753b17a (diff) |
nixos/coturn: refactor secret injection
The original implementation had a few issues: * The secret was briefly leaked since it is part of the cmdline for `sed(1)` and on Linux `cmdline` is world-readable. * If the secret would contain either a `,` or a `"` it would mess with the `sed(1)` expression itself unless you apply messy escape hacks. To circumvent all of that, I decided to use `replace-secret` which allows you to replace a string inside a file (in this case `#static-auth-secret#`) with the contents of a file, i.e. `cfg.static-auth-secret-file` without any of these issues.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/coturn.nix | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 4d83d2d48e377..2f34a72377ce2 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -335,9 +335,10 @@ in { preStart = '' cat ${configFile} > ${runConfig} ${optionalString (cfg.static-auth-secret-file != null) '' - STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" - sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ - -i ${runConfig} + ${pkgs.replace-secret}/bin/replace-secret \ + "#static-auth-secret#" \ + ${cfg.static-auth-secret-file} \ + ${runConfig} '' } chmod 640 ${runConfig} ''; |