Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
nixos/stunnel: Make it hard to accidentally put private keys in the N…
…ix store With type.path, both of these usages are permitted: key = ./foo-client-key.pem; # Bad! Puts secret in store. key = "/var/lib/foo/client-key.pem"; # OK Disallow the bad usage using types.strMatching "/.*" instead of types.path. The server version of this probably ought to be changed also, but that would be a breaking change. We can change the client key type because this commit and the commit that introduces the client key option are in the same PR and will be merged atomically. We keep this a separate commit to provide a succinct concrete example of the problems described in NixOS#24288 .
- Loading branch information