What about other escape codes, should they exist in the string? I don't really know if they will, but it's really not obvious, at least to me. To be fair I'm not really sure what the JWS key is :)

The JWS key is actually the only one that's reasonably safe to assume doesn't contain a comma ( :( ), because it's base64 encoded...

Should probably be quoted to prevent whitespace in the password from breaking.

Actually never mind, this seems to be fine.

This quoting is needed for databasePassword to tolerate whitespace: DBPASSWORD=$(cat "${cfg.databasePassword}"). The "outer" quoting is unneeded, as mentioned, although it looks a bit scary :-)

Although while putting spaces in passwords is a sensible thing to do IMHO, anyone who's putting a space in the path to their password should reevaluate their life choices. Again IMHO ;)

Hehe :-)

This at least can be trivially fixed, and I'll do so. Thanks!

All these substitutions will break if any of the keys/passwords contain a comma, right? Perhaps use ${VAR//,/\\,/} rather than $VAR in each case.

If this seems like an acceptable fix to the substitution issue, I'll do it. I feel like the entire sed approach is wrong, but I don't know of any other reasonable alternatives. :/

This would break with a password containing a quote, right? Similarly to before, I'd suggest ${DBPASSWORD//'/\\'/}… Although I'm guessing that would still go wrong in other ways 😢 (I wouldn't be surprised if postgres interprets other escape sequences too.) Oh, the joys of substituting text into other languages.

Also, shouldn't bash refrain from variable substitutions in single quotes anyway?

Uh, yes. I must have been fooled by the peer authentication.

Oh, no, this is fine.

$ foo=test; echo "This is fine: '$foo'"
This is fine: 'test'

Hm, weird. Without the outer quotes:

foo=test; echo This is fine: '$foo'
This is fine: $foo

Ah, I guess that has the same problem that @dhess pointed out.

Yes, because it would appear in ps, just for echo rather than psql. You could also remove the -, since psql won't care about the leading whitespace AFAIK.

Another alternative is psql postgres <<< "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '$DBPASSWORD'"

How about 4c9744b ?

LGTM!

aren't paths copied into the nix store as well? I stumbled upon this in #29298

As far as I understand, neither the value of type str or path is copied directly to the store. The problem is that the secretsYml file was. Instead, that file (which is still copied to the store) is merely a template which we copy out substitute into at runtime from files whose path are specified here.

Actually, I suppose the configuration is stored, but it doesn't matter, since the path, not the contents is what's made world-readable. At best you can now see where the secret is stored, but it should still be secure (if permissions are correct.)

@srhb good work on making NixOS more secure! With regards to password options having type path see this comment by @domenkozar: #24288 (comment).

Does this really prevent store path being created? I think you should do:

nix-repl> "${toString ./timeout.txt}"
"/home/ielectric/timeout.txt"

instead of

nix-repl> "${./timeout.txt}"
"/nix/store/qvggx3asvcz26r9wpclpy67f0k5zryg6-timeout.txt"

See https://stackoverflow.com/a/43850372/133235 as a reference

I'm sorry, I don't understand exactly where you think it's going wrong. Can you point me at the exact spot? Here's an example of the rendered preStart-script:

cat > /var/gitlab/state/config/secrets.yml << EOF
production:
  secret_key_base: $(cat "/run/keys/secret")
  otp_key_base: $(cat "/run/keys/otp")
  db_key_base: $(cat "/run/keys/db")
  jws_private_key: $(/nix/store/dc4f9mfgbwb0wygwk7qw5b0s0mv7kcml-jq-1.5/bin/jq -Rs . "/run/keys/jws")
EOF

This is with services.gitlab.secrets.db set to "/run/keys/db" and so on.

The problem is, someone can specify it as /run/keys/db instead of "/run/keys/db" and it would get copied to the store if you don't call toString first.

Good point! That's actually a fair argument against using path at all...

0ba5f49 incorporates your suggestion, thank you. :)

We could come up with a type like nonStorePath meaning it would validate the value is not in store but is a path.

I think that would actually be pretty handy!

@domenkozar Do you still want nonStorePath for this PR?

One thing I don't like is how this breaks everybody's config with a mediocre error message (type mismatch). Alternatives are:

• Introduce {secret,db,...}File options for path based passwords. I don't like this because it introduces more options.
• Introduce a type types.changed types.str types.path for such situations, maybe even types.changed "<reason, and remedy>" types.str types.path. I quite like this one.

I don't consider this a blocker for this PR though.

@infinisil, in nextcloud you have the adminPass and adminPassFile options next to each other. I think that's quite an ok solution.

As per infinisil's suggestion