diff options
author | Nick Cao <nickcao@nichi.co> | 2024-01-21 14:48:40 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-21 14:48:40 -0500 |
commit | 9969fb7ff4e813e8659485f340238be42447e6e3 (patch) | |
tree | 0af274a35d7478e75fe2755c4657c3e65468be54 /nixos/modules/services/web-servers | |
parent | 71ef6600a9668a897374cbd541390e8429bfcfb3 (diff) | |
parent | c34493d7c0a1edbcc028d34941f0807b5255f338 (diff) |
Merge pull request #281904 from Stunkymonkey/ttyd-fix-leakage
ttyd: add test & use systemd LoadCredential
Diffstat (limited to 'nixos/modules/services/web-servers')
-rw-r--r-- | nixos/modules/services/web-servers/ttyd.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix index 3b1d87ccb483e..e545869ca4320 100644 --- a/nixos/modules/services/web-servers/ttyd.nix +++ b/nixos/modules/services/web-servers/ttyd.nix @@ -180,10 +180,11 @@ in # Runs login which needs to be run as root # login: Cannot possibly work without effective root User = "root"; + LoadCredential = lib.optionalString (cfg.passwordFile != null) "TTYD_PASSWORD_FILE:${cfg.passwordFile}"; }; script = if cfg.passwordFile != null then '' - PASSWORD=$(cat ${escapeShellArg cfg.passwordFile}) + PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/TTYD_PASSWORD_FILE") ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ --credential ${escapeShellArg cfg.username}:"$PASSWORD" \ ${pkgs.shadow}/bin/login |