Define monzo-token-server as a root systemd service

After I considered the security implications of calling
`systemctl --user cat monzo-token-server`, I realized that monzo-token-server
should be a root service instead of a user service.

This service unit now also explicitly depends on briefcase.monzo_ynab.tokens,
which is a big improvement.
This commit is contained in:
William Carroll 2020-02-23 20:01:33 +00:00
parent a1a4689ad3
commit 0973ca006c

View file

@ -1,4 +1,8 @@
{ pkgs ? import <nixpkgs> {}, ... }:
{
pkgs ? import <nixpkgs> {},
briefcase ? import <briefcase> {},
...
}:
let
trimNewline = x: pkgs.lib.removeSuffix "\n" x;
@ -75,11 +79,14 @@ in {
services.lorri.enable = true;
systemd.user.services.monzo-token-server = {
systemd.services.monzo-token-server = {
enable = true;
description = "Ensure my Monzo access token is valid";
script = "/home/wpcarro/.nix-profile/bin/token-server";
script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
# TODO(wpcarro): I'm unsure of the size of this security risk, but if a
# non-root user runs `systemctl cat monzo-token-server`, they could read the
# following, sensitive environment variables.
environment = {
store_path = "/var/cache/monzo_ynab";
monzo_client_id = readSecret "monzo-client-id";
@ -90,7 +97,6 @@ in {
};
serviceConfig = {
WorkingDirectory = "%h/briefcase/monzo_ynab";
Type = "simple";
};
};