nixos/gitlab: Use replace-secret to avoid leaking secrets
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit.
This commit is contained in:
parent
38398fade1
commit
7842e89bfc
@ -952,7 +952,7 @@ in {
|
|||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
jq
|
jq
|
||||||
openssl
|
openssl
|
||||||
replace
|
replace-secret
|
||||||
git
|
git
|
||||||
];
|
];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@ -994,8 +994,7 @@ in {
|
|||||||
${optionalString cfg.smtp.enable ''
|
${optionalString cfg.smtp.enable ''
|
||||||
install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
|
install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
|
||||||
${optionalString (cfg.smtp.passwordFile != null) ''
|
${optionalString (cfg.smtp.passwordFile != null) ''
|
||||||
smtp_password=$(<'${cfg.smtp.passwordFile}')
|
replace-secret '@smtpPassword@' '${cfg.smtp.passwordFile}' '${cfg.statePath}/config/initializers/smtp_settings.rb'
|
||||||
replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb'
|
|
||||||
''}
|
''}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user