hedgedoc: Move the client secret to the config file for security

The systemd environment variables can be read by anyone, so move the secret to the configuration file, which can only be read by root and the hedgedoc user. Fix #562

hedgedoc: Move the client secret to the config file for security
cf206976 · Kristian Klausen · 036555ad · cf206976 · cf206976
Verified Commit cf206976 authored 1 year ago by Kristian Klausen
--- a/roles/hedgedoc/templates/config.json.j2
+++ b/roles/hedgedoc/templates/config.json.j2
@@ -35,6 +35,9 @@
            "host": "localhost",
            "port": "5432"
        },
-        "linkifyHeaderStyle": "gfm"
+        "linkifyHeaderStyle": "gfm",
+        "oauth2": {
+            "clientSecret": "{{ vault_hedgedoc_client_secret }}"
+        }
    }
 }
--- a/roles/hedgedoc/templates/hedgedoc.service.d.j2
+++ b/roles/hedgedoc/templates/hedgedoc.service.d.j2
@@ -6,7 +6,6 @@ Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
 Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
 Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
 Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
-Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
 Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
 Environment=CMD_OAUTH2_ROLES_CLAIM=roles
 Environment=CMD_OAUTH2_ACCESS_ROLE=Staff