From 81add6600cba1e6a896fd0dc413e44f52bb0d601 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Wed, 20 Jul 2022 20:12:46 +0200
Subject: [PATCH] nixos/privacyidea-ldap-proxy: umask to avoid accidental
 world-readability

---
 nixos/modules/services/security/privacyidea.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix
index 13e27f255068..1f5639d475e8 100644
--- a/nixos/modules/services/security/privacyidea.nix
+++ b/nixos/modules/services/security/privacyidea.nix
@@ -332,6 +332,7 @@ in
             [ cfg.ldap-proxy.environmentFile ];
           ExecStartPre =
             "${pkgs.writeShellScript "substitute-secrets-ldap-proxy" ''
+              umask 0077
               ${pkgs.envsubst}/bin/envsubst \
                 -i ${ldapProxyConfig} \
                 -o $STATE_DIRECTORY/ldap-proxy.ini