From d6727d28e1c11887c8dad6860c0c204a21054d57 Mon Sep 17 00:00:00 2001 From: talyz Date: Tue, 4 May 2021 16:57:11 +0200 Subject: [PATCH] nixos/keycloak: Set the postgresql database password securely Feeding `psql` the password on the command line leaks it through the `psql` process' `/proc//cmdline` file. Using `echo` to put the command in a file and then feeding `psql` the file should work around this, since `echo` is a bash builtin and thus shouldn't spawn a new process. --- nixos/modules/services/web-apps/keycloak.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index e2e6df41dfa..073f793b4ed 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -592,8 +592,11 @@ in PSQL=${config.services.postgresql.package}/bin/psql - db_password="$(<'${cfg.databasePasswordFile}')" - $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tAc "CREATE ROLE keycloak WITH LOGIN PASSWORD '$db_password' CREATEDB" + create_role="$(mktemp)" + trap 'rm -f "$create_role"' ERR EXIT + + echo "CREATE ROLE keycloak WITH LOGIN PASSWORD '$(<'${cfg.databasePasswordFile}')' CREATEDB" > "$create_role" + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='keycloak'" | grep -q 1 || $PSQL -tA --file="$create_role" $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'keycloak'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "keycloak" OWNER "keycloak"' ''; };