nixos/coturn: refactor secret injection

The original implementation had a few issues:

* The secret was briefly leaked since it is part of the cmdline for
  `sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
  the `sed(1)` expression itself unless you apply messy escape hacks.

To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.

1 files changed, 4 insertions, 3 deletions

diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix
index 4d83d2d48e377..2f34a72377ce2 100644
--- a/nixos/modules/services/networking/coturn.nix
+++ b/nixos/modules/services/networking/coturn.nix
@@ -335,9 +335,10 @@ in {
         preStart = ''
           cat ${configFile} > ${runConfig}
           ${optionalString (cfg.static-auth-secret-file != null) ''
-            STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"
-            sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \
-              -i ${runConfig}
+            ${pkgs.replace-secret}/bin/replace-secret \
+              "#static-auth-secret#" \
+              ${cfg.static-auth-secret-file} \
+              ${runConfig}
           '' }
           chmod 640 ${runConfig}
         '';