do not leak hashed password to the logs

2023-06-12 23:40:22 +02:00 · 2023-06-12 23:40:22 +02:00 · 4e99573af4
parent bba9c4886c
commit 4e99573af4
1 changed files with 12 additions and 8 deletions
--- a/hosts/uranus/jupyter-container.nix
+++ b/hosts/uranus/jupyter-container.nix
@ -24,14 +24,18 @@ pkgs.dockerTools.buildImage {
  runAsRoot =
    let
      cont-interpreter = "/bin/bash";
-      useradd-string = (user: is-admin: ''useradd \
-                            -m \
-                            ${if is-admin then "-G ${jupyterAdminGroup}" else ""} \
-                            -p $(cat /pw/hashed-password-${user}) \
-                            ${user} \
-                            && chown -R ${user}:${jupyterAdminGroup} /home/${user} \
-                            && ln --force -s /workdir /home/${user}/shared-workdir
-                            '');
+      useradd-string = (user: is-admin: ''
+        set +x # don't leak the hashed password
+        echo "creating user ${user}"
+        useradd \
+        -m \
+        ${if is-admin then "-G ${jupyterAdminGroup}" else ""} \
+        -p $(cat /pw/hashed-password-${user}) \
+        ${user} \
+        && chown -R ${user}:${jupyterAdminGroup} /home/${user} \
+        && ln --force -s /workdir /home/${user}/shared-workdir
+        set -x
+      '');

      create-all-users-script = (lib.strings.concatStringsSep "\n" (builtins.map (u: (useradd-string u.username u.isAdmin)) jupyterUsers));
        jupyterhub-config = pkgs.writeText "jupyterhub-config.py" ''