nixos/bookstack: Make secret replacement strings more unique

If a secret path is a subset of a second secret path, there's a risk that its secret is substituted for the matching part of the second path. To prevent this, use the sha256 of the paths as placeholder string instead.
2 years ago · be97b3b44d
parent efeefb2af1
commit be97b3b44d
1 changed files with 2 additions and 2 deletions
--- a/nixos/modules/services/web-apps/bookstack.nix
+++ b/nixos/modules/services/web-apps/bookstack.nix
@ -385,13 +385,13 @@ in {
                else if isString v then v
                else if true  == v then "true"
                else if false == v then "false"
-                else if isSecret v then v._secret
+                else if isSecret v then hashString "sha256" v._secret
                else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
            };
          };
          secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
          mkSecretReplacement = file: ''
-            replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]}
+            replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]}
          '';
          secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
          filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config;