Firefox Sync Server: Create the private config file as non-world readable.

2014-12-12 22:14:21 +01:00 · 2014-12-12 22:14:21 +01:00 · 1a1fc17957
commit 1a1fc17957
parent a0154145d5
1 changed files with 11 additions and 9 deletions
--- a/nixos/modules/services/networking/firefox/sync-server.nix
+++ b/nixos/modules/services/networking/firefox/sync-server.nix
@ -4,10 +4,9 @@ with lib;

 let
  cfg = config.services.firefox.syncserver;
-  syncServerSecretFile = "/etc/firefox/syncserver-secret.ini";
  syncServerIni = pkgs.writeText "syncserver.ini" ''
    [DEFAULT]
-    overrides = ${cfg.privateConfig} ${syncServerSecretFile}
+    overrides = ${cfg.privateConfig}

    [server:main]
    use = egg:Paste#http
@ -100,12 +99,14 @@ in
      };

      privateConfig = mkOption {
-        type = types.separatedString " ";
-        default = "";
+        type = types.str;
+        default = "/etc/firefox/syncserver-secret.ini";
        description = ''
          If defined, this file would be used to set all fields which were omitted in the
          generated ini files used for configuring the syncserver.  This file is useful
-          for storing secrets, such as the syncserver.secret or the syncserver.sqluri
+          for storing secrets, such as the syncserver.secret or the syncserver.sqluri.
+
+          If this file does not exists, it would be created with a unique secret.
        '';
      };
    };
@ -120,10 +121,11 @@ in
      path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ];
      environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages";
      preStart = ''
-        if ! test -e ${syncServerSecretFile}; then
-          mkdir -p $(dirname ${syncServerSecretFile})
-          echo  > ${syncServerSecretFile} '[syncserver]'
-          echo >> ${syncServerSecretFile} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
+        if ! test -e ${cfg.privateConfig}; then
+          umask u=rwx,g=x,o=x
+          mkdir -p $(dirname ${cfg.privateConfig})
+          echo  > ${cfg.privateConfig} '[syncserver]'
+          echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
        fi
      '';
      serviceConfig.ExecStart = "paster serve ${syncServerIni}";