diff options
author | William Carroll <wpcarro@gmail.com> | 2020-02-23T20·01+0000 |
---|---|---|
committer | William Carroll <wpcarro@gmail.com> | 2020-02-23T20·01+0000 |
commit | 0973ca006cea610f1d0e060ceb3448c051b9e20e (patch) | |
tree | bf649ebb0dcf2e392a110380ec4e4f652d289686 | |
parent | a1a4689ad330796a85350e850b32c20aae0c82fd (diff) |
Define monzo-token-server as a root systemd service
After I considered the security implications of calling `systemctl --user cat monzo-token-server`, I realized that monzo-token-server should be a root service instead of a user service. This service unit now also explicitly depends on briefcase.monzo_ynab.tokens, which is a big improvement.
-rw-r--r-- | nixos/configuration.nix | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/nixos/configuration.nix b/nixos/configuration.nix index f98fe980ec7e..54fd8f3ea2a5 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -1,4 +1,8 @@ -{ pkgs ? import <nixpkgs> {}, ... }: +{ + pkgs ? import <nixpkgs> {}, + briefcase ? import <briefcase> {}, + ... +}: let trimNewline = x: pkgs.lib.removeSuffix "\n" x; @@ -75,11 +79,14 @@ in { services.lorri.enable = true; - systemd.user.services.monzo-token-server = { + systemd.services.monzo-token-server = { enable = true; description = "Ensure my Monzo access token is valid"; - script = "/home/wpcarro/.nix-profile/bin/token-server"; + script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; + # TODO(wpcarro): I'm unsure of the size of this security risk, but if a + # non-root user runs `systemctl cat monzo-token-server`, they could read the + # following, sensitive environment variables. environment = { store_path = "/var/cache/monzo_ynab"; monzo_client_id = readSecret "monzo-client-id"; @@ -90,7 +97,6 @@ in { }; serviceConfig = { - WorkingDirectory = "%h/briefcase/monzo_ynab"; Type = "simple"; }; }; |