From cf206976297a3bf3e651661dab6b4c92ff8f7f65 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Mon, 19 Feb 2024 00:20:04 +0100
Subject: [PATCH] hedgedoc: Move the client secret to the config file for
 security

The systemd environment variables can be read by anyone, so move the
secret to the configuration file, which can only be read by root and the
hedgedoc user.

Fix #562
---
 roles/hedgedoc/templates/config.json.j2        | 5 ++++-
 roles/hedgedoc/templates/hedgedoc.service.d.j2 | 1 -
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/hedgedoc/templates/config.json.j2 b/roles/hedgedoc/templates/config.json.j2
index 57d08fb68..29ef1cc34 100644
--- a/roles/hedgedoc/templates/config.json.j2
+++ b/roles/hedgedoc/templates/config.json.j2
@@ -35,6 +35,9 @@
             "host": "localhost",
             "port": "5432"
         },
-        "linkifyHeaderStyle": "gfm"
+        "linkifyHeaderStyle": "gfm",
+        "oauth2": {
+            "clientSecret": "{{ vault_hedgedoc_client_secret }}"
+        }
     }
 }
diff --git a/roles/hedgedoc/templates/hedgedoc.service.d.j2 b/roles/hedgedoc/templates/hedgedoc.service.d.j2
index 06ca55e07..bb5f6ff19 100644
--- a/roles/hedgedoc/templates/hedgedoc.service.d.j2
+++ b/roles/hedgedoc/templates/hedgedoc.service.d.j2
@@ -6,7 +6,6 @@ Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
 Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
 Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
 Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
-Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
 Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
 Environment=CMD_OAUTH2_ROLES_CLAIM=roles
 Environment=CMD_OAUTH2_ACCESS_ROLE=Staff
-- 
GitLab