From 92bd77e85e024c4a58e00cb9f6ff1e6e501ddf02 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Wed, 20 Jul 2022 20:21:16 +0200
Subject: nixos/prometheus-mail-exporter: umask to avoid accidental
 world-readability

---
 nixos/modules/services/monitoring/prometheus/exporters/mail.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
index c0b8b3570c074..a60f47f63932a 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
@@ -174,7 +174,10 @@ in
       EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
       RuntimeDirectory = "prometheus-mail-exporter";
       ExecStartPre = [
-        "${pkgs.envsubst}/bin/envsubst -i ${configFile} -o \${RUNTIME_DIRECTORY}/mail-exporter.json"
+        "${pkgs.writeShellScript "subst-secrets-mail-exporter" ''
+          umask 0077
+          ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/mail-exporter.json
+        ''}"
       ];
       ExecStart = ''
         ${pkgs.prometheus-mail-exporter}/bin/mailexporter \
-- 
cgit 1.4.1