nixos/jenkins-job-builder: create secret file with umask 0077

IOW, don't make it world readable.
author: Bjørn Forsman <bjorn.forsman@gmail.com> 2022-07-17 14:53:22 +0200
committer: Bjørn Forsman <bjorn.forsman@gmail.com> 2022-07-17 15:24:48 +0200
commit: 0080a93cdf255b27e466116250b14b2bcd7b843b (patch)
tree: 2104cc3785331811175e7883c74ecec10bc30f06 /nixos/modules
parent: b2205469bcc230934b03a1bcb01dcd9a2192fa23 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
index deabeec0b295c..edbf31f5ca1a3 100644
--- a/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/job-builder.nix
@@ -165,7 +165,7 @@ in {
             jenkins_url="http://${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}"
             auth_file="$RUNTIME_DIRECTORY/jenkins_auth_file.txt"
             trap 'rm -f "$auth_file"' EXIT
-            printf "${cfg.accessUser}:@password_placeholder@" >"$auth_file"
+            (umask 0077; printf "${cfg.accessUser}:@password_placeholder@" >"$auth_file")
             "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "$access_token_file" "$auth_file"
 
             if ! "${pkgs.jenkins}/bin/jenkins-cli" -s "$jenkins_url" -auth "@$auth_file" reload-configuration; then
author	Bjørn Forsman <bjorn.forsman@gmail.com>	2022-07-17 14:53:22 +0200
committer	Bjørn Forsman <bjorn.forsman@gmail.com>	2022-07-17 15:24:48 +0200
commit	0080a93cdf255b27e466116250b14b2bcd7b843b (patch)
tree	2104cc3785331811175e7883c74ecec10bc30f06 /nixos/modules
parent	b2205469bcc230934b03a1bcb01dcd9a2192fa23 (diff)