about summary refs log tree commit diff
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2020-02-23T20·01+0000
committerWilliam Carroll <wpcarro@gmail.com>2020-02-23T20·01+0000
commit0973ca006cea610f1d0e060ceb3448c051b9e20e (patch)
treebf649ebb0dcf2e392a110380ec4e4f652d289686
parenta1a4689ad330796a85350e850b32c20aae0c82fd (diff)
Define monzo-token-server as a root systemd service
After I considered the security implications of calling
`systemctl --user cat monzo-token-server`, I realized that monzo-token-server
should be a root service instead of a user service.

This service unit now also explicitly depends on briefcase.monzo_ynab.tokens,
which is a big improvement.
-rw-r--r--nixos/configuration.nix14
1 files changed, 10 insertions, 4 deletions
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index f98fe980ec7e..54fd8f3ea2a5 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -1,4 +1,8 @@
-{ pkgs ? import <nixpkgs> {}, ... }:
+{
+  pkgs ? import <nixpkgs> {},
+  briefcase ? import <briefcase> {},
+  ...
+}:
 
 let
   trimNewline = x: pkgs.lib.removeSuffix "\n" x;
@@ -75,11 +79,14 @@ in {
 
   services.lorri.enable = true;
 
-  systemd.user.services.monzo-token-server = {
+  systemd.services.monzo-token-server = {
     enable = true;
     description = "Ensure my Monzo access token is valid";
-    script = "/home/wpcarro/.nix-profile/bin/token-server";
+    script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
 
+    # TODO(wpcarro): I'm unsure of the size of this security risk, but if a
+    # non-root user runs `systemctl cat monzo-token-server`, they could read the
+    # following, sensitive environment variables.
     environment = {
       store_path = "/var/cache/monzo_ynab";
       monzo_client_id = readSecret "monzo-client-id";
@@ -90,7 +97,6 @@ in {
     };
 
     serviceConfig = {
-      WorkingDirectory = "%h/briefcase/monzo_ynab";
       Type = "simple";
     };
   };