diff options
author | Philip Potter <philip.g.potter@gmail.com> | 2015-03-16 22:42:22 +0000 |
---|---|---|
committer | Philip Potter <philip.g.potter@gmail.com> | 2015-03-16 22:42:22 +0000 |
commit | 7ad6dac43b5e152957f5b438fbf896af00173ee3 (patch) | |
tree | 3f8566e0597925aa407e23872917cc8022b26062 /nixos/modules/services | |
parent | 51a8a43dfc3214d0f7db1f01ef95eaa26a266025 (diff) | |
download | nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.tar nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.tar.gz nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.tar.bz2 nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.tar.lz nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.tar.xz nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.tar.zst nixlib-7ad6dac43b5e152957f5b438fbf896af00173ee3.zip |
owncloud: don't store plaintext adminPassword in nix store
Rather than using openssl to hash the password at build time, and hence leaving the plaintext password world-readable in the nix store, we can instead hash the password in the nix expression itself using builtins.hashString.
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/owncloud.nix | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix index 3bea3c3ee1dd..a5e539bc9ba7 100644 --- a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix +++ b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix @@ -384,8 +384,7 @@ rec { }; adminPassword = mkOption { - description = "The admin password for accessing owncloud. - Warning: this is stored in cleartext in the Nix store!"; + description = "The admin password for accessing owncloud."; }; dbType = mkOption { @@ -571,7 +570,7 @@ rec { chown wwwrun:wwwrun ${config.dataDir}/owncloud.log || true - QUERY="INSERT INTO groups (gid) values('admin'); INSERT INTO users (uid,password) values('${config.adminUser}','`echo -n "${config.adminPassword}" | ${pkgs.openssl}/bin/openssl dgst -sha1 | ${pkgs.gawk}/bin/awk '{print $2}'`'); INSERT INTO group_user (gid,uid) values('admin','${config.adminUser}');" + QUERY="INSERT INTO groups (gid) values('admin'); INSERT INTO users (uid,password) values('${config.adminUser}','${builtins.hashString "sha1" config.adminPassword}'); INSERT INTO group_user (gid,uid) values('admin','${config.adminUser}');" ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true ''; } |