Define monzo-token-server as a root systemd service
After I considered the security implications of calling `systemctl --user cat monzo-token-server`, I realized that monzo-token-server should be a root service instead of a user service. This service unit now also explicitly depends on briefcase.monzo_ynab.tokens, which is a big improvement.
This commit is contained in:
parent
a1a4689ad3
commit
0973ca006c
1 changed files with 10 additions and 4 deletions
|
@ -1,4 +1,8 @@
|
|||
{ pkgs ? import <nixpkgs> {}, ... }:
|
||||
{
|
||||
pkgs ? import <nixpkgs> {},
|
||||
briefcase ? import <briefcase> {},
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
trimNewline = x: pkgs.lib.removeSuffix "\n" x;
|
||||
|
@ -75,11 +79,14 @@ in {
|
|||
|
||||
services.lorri.enable = true;
|
||||
|
||||
systemd.user.services.monzo-token-server = {
|
||||
systemd.services.monzo-token-server = {
|
||||
enable = true;
|
||||
description = "Ensure my Monzo access token is valid";
|
||||
script = "/home/wpcarro/.nix-profile/bin/token-server";
|
||||
script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
|
||||
|
||||
# TODO(wpcarro): I'm unsure of the size of this security risk, but if a
|
||||
# non-root user runs `systemctl cat monzo-token-server`, they could read the
|
||||
# following, sensitive environment variables.
|
||||
environment = {
|
||||
store_path = "/var/cache/monzo_ynab";
|
||||
monzo_client_id = readSecret "monzo-client-id";
|
||||
|
@ -90,7 +97,6 @@ in {
|
|||
};
|
||||
|
||||
serviceConfig = {
|
||||
WorkingDirectory = "%h/briefcase/monzo_ynab";
|
||||
Type = "simple";
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue