diff options
author | talyz <kim.lindberger@gmail.com> | 2022-02-01 17:29:05 +0100 |
---|---|---|
committer | talyz <kim.lindberger@gmail.com> | 2022-02-02 12:27:18 +0100 |
commit | be97b3b44d9e93a473db41056d09d22689ed115f (patch) | |
tree | faf9294175d082474727876ea887368a507e19c5 /nixos/modules/services/web-apps | |
parent | efeefb2af1469a5d1f0ae7ca8f0dfd9bb87d5cfb (diff) | |
download | nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.tar nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.tar.gz nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.tar.bz2 nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.tar.lz nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.tar.xz nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.tar.zst nixlib-be97b3b44d9e93a473db41056d09d22689ed115f.zip |
nixos/bookstack: Make secret replacement strings more unique
If a secret path is a subset of a second secret path, there's a risk that its secret is substituted for the matching part of the second path. To prevent this, use the sha256 of the paths as placeholder string instead.
Diffstat (limited to 'nixos/modules/services/web-apps')
-rw-r--r-- | nixos/modules/services/web-apps/bookstack.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/services/web-apps/bookstack.nix b/nixos/modules/services/web-apps/bookstack.nix index 54eaea63b6eb..64a2767fab6e 100644 --- a/nixos/modules/services/web-apps/bookstack.nix +++ b/nixos/modules/services/web-apps/bookstack.nix @@ -385,13 +385,13 @@ in { else if isString v then v else if true == v then "true" else if false == v then "false" - else if isSecret v then v._secret + else if isSecret v then hashString "sha256" v._secret else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; }; }; secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config); mkSecretReplacement = file: '' - replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]} + replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]} ''; secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths; filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config; |