nixos/mxisd: umask to avoid accidental world-readability

2022-07-20 20:15:53 +02:00 · 2022-07-20 20:15:53 +02:00 · 590e60d124
commit 590e60d124
parent 81add6600c
1 changed files with 1 additions and 0 deletions
--- a/nixos/modules/services/networking/mxisd.nix
+++ b/nixos/modules/services/networking/mxisd.nix
@ -130,6 +130,7 @@ in {
        EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
        ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml";
        ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" ''
+          umask 0077
          ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \
            -i ${configFile}
        ''}";