From 590e60d124fb93934d03e8c740ca738657cc1816 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 20 Jul 2022 20:15:53 +0200 Subject: [PATCH] nixos/mxisd: umask to avoid accidental world-readability --- nixos/modules/services/networking/mxisd.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix index 5b1e0dee8e35..1509671bc54a 100644 --- a/nixos/modules/services/networking/mxisd.nix +++ b/nixos/modules/services/networking/mxisd.nix @@ -130,6 +130,7 @@ in { EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml"; ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" '' + umask 0077 ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \ -i ${configFile} ''}";