nixos/bookstack: Make secret replacement strings more unique

If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.

1 files changed, 2 insertions, 2 deletions

diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix
index 54eaea63b6eb..64a2767fab6e 100644
--- a/nixos/modules/services/web-apps/bookstack.nix
+++ b/nixos/modules/services/web-apps/bookstack.nix
@@ -385,13 +385,13 @@ in {
                 else if isString v then v
                 else if true  == v then "true"
                 else if false == v then "false"
-                else if isSecret v then v._secret
+                else if isSecret v then hashString "sha256" v._secret
                 else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
             };
           };
           secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
           mkSecretReplacement = file: ''
-            replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]}
+            replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]}
           '';
           secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
           filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config;