Description
When using the NixOS module with the secrets as intended (by specifying a file containing the secret, see services.oxicloud.auth.jwtSecret.file), the secrets inside those files are read using builtins.readFile, meaning they are read at evaluation time and thus saved into the world-readable nix store, effectively leaking them to all programs on the system.
To Reproduce
Steps to reproduce the behavior:
- set
services.oxicloud.auth.jwtSecret.file (or similar options) to a file
- look into the generated
oxicloud-generated.env (which is publicly accessible)
- the secret from the file will be present there
Expected Behavior
The path to the secrets is referenced in the systemd service, and read at run-time.
Screenshots
Environment
irrelevant, current version of the nix module (https://github.com/AtalayaLabs/OxiCloud/blob/a05e99175f24b17f9430e7df072d7a4cd522c454/tools/nix/module.nix)
Additional Context
Add any other context about the problem here.
Possible Solution
Use either systemd-creds to get the credentials in systemd before the service is even started (see example here: https://systemd.io/CREDENTIALS/#programming-interface-from-service-code), or get them in the start script by e.g. export OXICLOUD_JWT_SECRET=$(${cfg.auth.jwtSecret.file}). I'd prefer the first option, even tho it's more complex, as then those secret files are read by root instead of whatever user oxicloud runs at.
I can implement this if need be, this isn't complex.
Description
When using the NixOS module with the secrets as intended (by specifying a file containing the secret, see
services.oxicloud.auth.jwtSecret.file), the secrets inside those files are read usingbuiltins.readFile, meaning they are read at evaluation time and thus saved into the world-readable nix store, effectively leaking them to all programs on the system.To Reproduce
Steps to reproduce the behavior:
services.oxicloud.auth.jwtSecret.file(or similar options) to a fileoxicloud-generated.env(which is publicly accessible)Expected Behavior
The path to the secrets is referenced in the systemd service, and read at run-time.
Screenshots
Environment
irrelevant, current version of the nix module (https://github.com/AtalayaLabs/OxiCloud/blob/a05e99175f24b17f9430e7df072d7a4cd522c454/tools/nix/module.nix)
Additional Context
Add any other context about the problem here.
Possible Solution
Use either systemd-creds to get the credentials in systemd before the service is even started (see example here: https://systemd.io/CREDENTIALS/#programming-interface-from-service-code), or get them in the start script by e.g.
export OXICLOUD_JWT_SECRET=$(${cfg.auth.jwtSecret.file}). I'd prefer the first option, even tho it's more complex, as then those secret files are read by root instead of whatever user oxicloud runs at.I can implement this if need be, this isn't complex.