nixos/nextcloud: put secrets into the environment of nextcloud-setup.service

The `$(</path/to/file)`-expansion appears verbatim in the cmdline of
`nextcloud-occ` which means that an unprivileged user could find
sensitive values (i.e. admin password & database password) by monitoring
`/proc/<pid>/cmdline`.

Now, these values don't appear in a command line anymore, but will be
passed as environment variables to `nextcloud-occ`.
This commit is contained in:
Maximilian Bosch 2021-10-06 17:34:48 +02:00
parent fb40526961
commit 9f37d6aee0
No known key found for this signature in database
GPG Key ID: 091DBF4D1FC46B8E

View File

@ -623,14 +623,21 @@ in {
];
'';
occInstallCmd = let
dbpass = if c.dbpassFile != null
then ''"$(<"${toString c.dbpassFile}")"''
else if c.dbpass != null
then ''"${toString c.dbpass}"''
else ''""'';
adminpass = if c.adminpassFile != null
then ''"$(<"${toString c.adminpassFile}")"''
else ''"${toString c.adminpass}"'';
mkExport = { arg, value }: "export ${arg}=${value}";
dbpass = {
arg = "DBPASS";
value = if c.dbpassFile != null
then ''"$(<"${toString c.dbpassFile}")"''
else if c.dbpass != null
then ''"${toString c.dbpass}"''
else ''""'';
};
adminpass = {
arg = "ADMINPASS";
value = if c.adminpassFile != null
then ''"$(<"${toString c.adminpassFile}")"''
else ''"${toString c.adminpass}"'';
};
installFlags = concatStringsSep " \\\n "
(mapAttrsToList (k: v: "${k} ${toString v}") {
"--database" = ''"${c.dbtype}"'';
@ -641,12 +648,14 @@ in {
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
"--database-pass" = dbpass;
"--database-pass" = "\$${dbpass.arg}";
"--admin-user" = ''"${c.adminuser}"'';
"--admin-pass" = adminpass;
"--admin-pass" = "\$${adminpass.arg}";
"--data-dir" = ''"${cfg.home}/data"'';
});
in ''
${mkExport dbpass}
${mkExport adminpass}
${occ}/bin/nextcloud-occ maintenance:install \
${installFlags}
'';