Load secret key on startup

- Allow us to drop privileges (via starman command line flags) to a state where we are no longer able to read this file. - Alert users if the variable is set but not valid (fixes #40).
edolstra · Apr 6, 2024 · 860e87d · 860e87d
1 parent d6df5bd
commit 860e87d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/flake.nix b/flake.nix
@@ -27,7 +27,7 @@
               #! ${stdenv.shell}
               PERL5LIB=$PERL5LIB \
               NIX_REMOTE="\''${NIX_REMOTE:-auto?path-info-cache-size=0}" \
-              exec ${perlPackages.Starman}/bin/starman $out/libexec/nix-serve/nix-serve.psgi "\$@"
+              exec ${perlPackages.Starman}/bin/starman --preload-app $out/libexec/nix-serve/nix-serve.psgi "\$@"
               EOF
               chmod +x $out/bin/nix-serve
             '';

diff --git a/nix-serve.psgi b/nix-serve.psgi
@@ -10,6 +10,15 @@ sub stripPath {
     $x =~ s/.*\///; $x
 }
 
+my $secretKey;
+BEGIN {
+	my $secretKeyFile = $ENV{'NIX_SECRET_KEY_FILE'};
+	if (defined $secretKeyFile) {
+		$secretKey = readFile $secretKeyFile;
+		chomp $secretKey;
+	}
+}
+
 my $app = sub {
     my $env = shift;
     my $path = $env->{PATH_INFO};
@@ -35,10 +44,7 @@ my $app = sub {
         $res .= "References: " . join(" ", map { stripPath($_) } @$refs) . "\n"
             if scalar @$refs > 0;
         $res .= "Deriver: " . stripPath($deriver) . "\n" if defined $deriver;
-        my $secretKeyFile = $ENV{'NIX_SECRET_KEY_FILE'};
-        if (defined $secretKeyFile) {
-            my $secretKey = readFile $secretKeyFile;
-            chomp $secretKey;
+        if (defined $secretKey) {
             my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
             my $sig = signString($secretKey, $fingerprint);
             $res .= "Sig: $sig\n";