nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions `0640`. With this change it's ensured that no sensitive information will be word-readable at any time. Related to #121293. Strictly speaking this is a breaking change since each new directory (including data-files) aren't world-readable anymore, but actually these shouldn't be, unless there's a good reason for it.
This commit is contained in:
parent
c8dff328e5
commit
02c3bd2187
@ -477,47 +477,49 @@ in
|
||||
in ''
|
||||
# copy custom configuration and generate a random secret key if needed
|
||||
${optionalString (cfg.useWizard == false) ''
|
||||
cp -f ${configFile} ${runConfig}
|
||||
function gitea_setup {
|
||||
cp -f ${configFile} ${runConfig}
|
||||
|
||||
if [ ! -e ${secretKey} ]; then
|
||||
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
||||
fi
|
||||
if [ ! -e ${secretKey} ]; then
|
||||
${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
|
||||
fi
|
||||
|
||||
# Migrate LFS_JWT_SECRET filename
|
||||
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
|
||||
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
|
||||
fi
|
||||
# Migrate LFS_JWT_SECRET filename
|
||||
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
|
||||
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
|
||||
fi
|
||||
|
||||
if [ ! -e ${oauth2JwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
|
||||
fi
|
||||
if [ ! -e ${oauth2JwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
|
||||
fi
|
||||
|
||||
if [ ! -e ${lfsJwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
|
||||
fi
|
||||
if [ ! -e ${lfsJwtSecret} ]; then
|
||||
${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
|
||||
fi
|
||||
|
||||
if [ ! -e ${internalToken} ]; then
|
||||
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||||
fi
|
||||
if [ ! -e ${internalToken} ]; then
|
||||
${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
|
||||
fi
|
||||
|
||||
SECRETKEY="$(head -n1 ${secretKey})"
|
||||
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
||||
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
||||
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
||||
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
||||
${if (cfg.mailerPasswordFile == null) then ''
|
||||
MAILERPASSWORD="#mailerpass#"
|
||||
'' else ''
|
||||
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
||||
''}
|
||||
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
||||
-e "s,#dbpass#,$DBPASS,g" \
|
||||
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
||||
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
||||
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||||
-i ${runConfig}
|
||||
chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
|
||||
SECRETKEY="$(head -n1 ${secretKey})"
|
||||
DBPASS="$(head -n1 ${cfg.database.passwordFile})"
|
||||
OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
|
||||
LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
|
||||
INTERNALTOKEN="$(head -n1 ${internalToken})"
|
||||
${if (cfg.mailerPasswordFile == null) then ''
|
||||
MAILERPASSWORD="#mailerpass#"
|
||||
'' else ''
|
||||
MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
|
||||
''}
|
||||
sed -e "s,#secretkey#,$SECRETKEY,g" \
|
||||
-e "s,#dbpass#,$DBPASS,g" \
|
||||
-e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
|
||||
-e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
|
||||
-e "s,#internaltoken#,$INTERNALTOKEN,g" \
|
||||
-e "s,#mailerpass#,$MAILERPASSWORD,g" \
|
||||
-i ${runConfig}
|
||||
}
|
||||
(umask 027; gitea_setup)
|
||||
''}
|
||||
|
||||
# update all hooks' binary paths
|
||||
|
Loading…
Reference in New Issue
Block a user