Unverified Commit 4fd75277 authored by Maximilian Bosch's avatar Maximilian Bosch
Browse files

nixos/coturn: refactor secret injection 

The original implementation had a few issues:

* The secret was briefly leaked since it is part of the cmdline for
  `sed(1)` and on Linux `cmdline` is world-readable.
* If the secret would contain either a `,` or a `"` it would mess with
  the `sed(1)` expression itself unless you apply messy escape hacks.

To circumvent all of that, I decided to use `replace-secret` which
allows you to replace a string inside a file (in this case
`#static-auth-secret#`) with the contents of a file, i.e.
`cfg.static-auth-secret-file` without any of these issues.
parent d052fcf0

nixos/modules/services/networking/coturn.nix

+4 −3
Original line number Diff line number Diff line
@@ -335,9 +335,10 @@ in { 
        preStart = ''

          cat ${configFile} > ${runConfig}

          ${optionalString (cfg.static-auth-secret-file != null) ''

            STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)"

            sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \

              -i ${runConfig}

            ${pkgs.replace-secret}/bin/replace-secret \

              "#static-auth-secret#" \

              ${cfg.static-auth-secret-file} \

              ${runConfig}

          '' }

          chmod 640 ${runConfig}

        '';