From 568dede67c032d0a8f96100530306c3fecc8d4c4 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Mon, 31 Aug 2020 22:18:47 -0700 Subject: [PATCH] don't expose decrypted secret during installation --- modules/age.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/age.nix b/modules/age.nix index 22a9327..4ec6f3b 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -61,10 +61,11 @@ let identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths); installSecret = secretType: '' - rm -f "${secretType.path}" - ${pkgs.age}/bin/age --decrypt ${identities} -o "${secretType.path}" "${secretType.file}" - chmod ${secretType.mode} "${secretType.path}" - chown ${secretType.owner}:${secretType.group} "${secretType.path}" + TMP_DIR=$(mktemp -d) + TMP_FILE="$TMP_DIR/file" + (umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}") + install -o '${secretType.owner}' -g '${secretType.group}' -m '${secretType.mode}' "$TMP_FILE" '${secretType.path}' + rm -rf "$TMP_DIR" ''; installAllSecrets = builtins.concatStringsSep (map installSecret (builtins.attrValues cfg.secrets));