nixos/gitlab: Use replace-secret to avoid leaking secrets

Using `replace-literal` to insert secrets leaks the secrets through
the `replace-literal` process' `/proc/<pid>/cmdline`
file. `replace-secret` solves this by reading the secret straight from
the file instead, which also simplifies the code a bit.
This commit is contained in:
talyz 2021-05-04 16:10:23 +02:00
parent 38398fade1
commit 7842e89bfc
No known key found for this signature in database
GPG Key ID: 2DED2151F4671A2B

View File

@ -952,7 +952,7 @@ in {
path = with pkgs; [
jq
openssl
replace
replace-secret
git
];
serviceConfig = {
@ -994,8 +994,7 @@ in {
${optionalString cfg.smtp.enable ''
install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
${optionalString (cfg.smtp.passwordFile != null) ''
smtp_password=$(<'${cfg.smtp.passwordFile}')
replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb'
replace-secret '@smtpPassword@' '${cfg.smtp.passwordFile}' '${cfg.statePath}/config/initializers/smtp_settings.rb'
''}
''}