mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-08 06:16:07 +02:00
Code Issues

hedgedoc: Move the client secret to the config file for security 

The systemd environment variables can be read by anyone, so move the
secret to the configuration file, which can only be read by root and the
hedgedoc user.

Fix #562
This commit is contained in:
Kristian Klausen 2024-02-19 00:20:04 +01:00
parent 036555ad72
commit cf20697629
No known key found for this signature in database
GPG Key ID: E2BE346E410366C3
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/hedgedoc/templates/config.json.j2
View File

@ -35,6 +35,9 @@
"host": "localhost",
"port": "5432"
},
"linkifyHeaderStyle": "gfm"
"linkifyHeaderStyle": "gfm",
"oauth2": {
"clientSecret": "{{ vault_hedgedoc_client_secret }}"
}
}
}

1
roles/hedgedoc/templates/hedgedoc.service.d.j2
View File

@ -6,7 +6,6 @@ Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
Environment=CMD_OAUTH2_ROLES_CLAIM=roles
Environment=CMD_OAUTH2_ACCESS_ROLE=Staff