nixos/searx: set settings.yml permissions using umask

This should solve a leakage of secrets as suggested in #121293
This commit is contained in:
rnhmjoj 2021-05-02 15:47:13 +02:00
parent aacbc7385c
commit 9ea6c1979c
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450

View file

@ -4,23 +4,25 @@ with lib;
let
runDir = "/run/searx";
cfg = config.services.searx;
settingsFile = pkgs.writeText "settings.yml"
(builtins.toJSON cfg.settings);
generateConfig = ''
cd ${runDir}
# write NixOS settings as JSON
cat <<'EOF' > settings.yml
${builtins.toJSON cfg.settings}
EOF
(
umask 077
cp --no-preserve=mode ${settingsFile} settings.yml
)
# substitute environment variables
env -0 | while IFS='=' read -r -d ''' n v; do
sed "s#@$n@#$v#g" -i settings.yml
done
# set strict permissions
chmod 400 settings.yml
'';
settingType = with types; (oneOf