From 380b52c737e7c180adb5e693195094d4d87013ab Mon Sep 17 00:00:00 2001 From: talyz Date: Tue, 4 May 2021 16:20:19 +0200 Subject: [PATCH] nixos/keycloak: Use replace-secret to avoid leaking secrets Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc//cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit. --- nixos/modules/services/web-apps/keycloak.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 5b578cd8c4a9..e2e6df41dfaa 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -633,6 +633,9 @@ in after = databaseServices; bindsTo = databaseServices; wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + replace-secret + ]; environment = { JBOSS_LOG_DIR = "/var/log/keycloak"; JBOSS_BASE_DIR = "/run/keycloak"; @@ -653,8 +656,7 @@ in install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml - db_password="$(