hedgedoc config files are installed as world-readable

hedgedoc's config.json contains the vault_hedgedoc_session_secret variable: https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/hedgedoc/templates/config.json.j2?ref_type=heads#L3

The configuration snippet for hedgedoc.service contains vault_hedgedoc_client_secret: https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/hedgedoc/templates/hedgedoc.service.d.j2?ref_type=heads#L9

Both files are installed with world-readable permissions on the server: https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/hedgedoc/tasks/main.yml?ref_type=heads#L30-37

As a solution, you can move the sessionSecret to the systemd snippet as CMD_SESSION_SECRET and install the file with mode=0640, the file is read by systemd running as root`.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

hedgedoc config files are installed as world-readable