Merge pull request #281904 from Stunkymonkey/ttyd-fix-leakage

ttyd: add test & use systemd LoadCredential
author: Nick Cao <nickcao@nichi.co> 2024-01-21 14:48:40 -0500
committer: GitHub <noreply@github.com> 2024-01-21 14:48:40 -0500
commit: 9969fb7ff4e813e8659485f340238be42447e6e3 (patch)
tree: 0af274a35d7478e75fe2755c4657c3e65468be54 /nixos/modules/services/web-servers
parent: 71ef6600a9668a897374cbd541390e8429bfcfb3 (diff)
parent: c34493d7c0a1edbcc028d34941f0807b5255f338 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/web-servers/ttyd.nix b/nixos/modules/services/web-servers/ttyd.nix
index 3b1d87ccb483..e545869ca432 100644
--- a/nixos/modules/services/web-servers/ttyd.nix
+++ b/nixos/modules/services/web-servers/ttyd.nix
@@ -180,10 +180,11 @@ in
         # Runs login which needs to be run as root
         # login: Cannot possibly work without effective root
         User = "root";
+        LoadCredential = lib.optionalString (cfg.passwordFile != null) "TTYD_PASSWORD_FILE:${cfg.passwordFile}";
       };
 
       script = if cfg.passwordFile != null then ''
-        PASSWORD=$(cat ${escapeShellArg cfg.passwordFile})
+        PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/TTYD_PASSWORD_FILE")
         ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \
           --credential ${escapeShellArg cfg.username}:"$PASSWORD" \
           ${pkgs.shadow}/bin/login
author	Nick Cao <nickcao@nichi.co>	2024-01-21 14:48:40 -0500
committer	GitHub <noreply@github.com>	2024-01-21 14:48:40 -0500
commit	9969fb7ff4e813e8659485f340238be42447e6e3 (patch)
tree	0af274a35d7478e75fe2755c4657c3e65468be54 /nixos/modules/services/web-servers
parent	71ef6600a9668a897374cbd541390e8429bfcfb3 (diff)
parent	c34493d7c0a1edbcc028d34941f0807b5255f338 (diff)