From 4e99573af4e6fdb10711f0245a2115787363c06f Mon Sep 17 00:00:00 2001
From: Grigory Shipunov <blame@oxapentane.com>
Date: Mon, 12 Jun 2023 23:40:22 +0200
Subject: [PATCH] do not leak hashed password to the logs

---
 hosts/uranus/jupyter-container.nix | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/hosts/uranus/jupyter-container.nix b/hosts/uranus/jupyter-container.nix
index 4d7d8fd..a7b43cd 100644
--- a/hosts/uranus/jupyter-container.nix
+++ b/hosts/uranus/jupyter-container.nix
@@ -24,14 +24,18 @@ pkgs.dockerTools.buildImage {
   runAsRoot =
     let
       cont-interpreter = "/bin/bash";
-      useradd-string = (user: is-admin: ''useradd \
-                            -m \
-                            ${if is-admin then "-G ${jupyterAdminGroup}" else ""} \
-                            -p $(cat /pw/hashed-password-${user}) \
-                            ${user} \
-                            && chown -R ${user}:${jupyterAdminGroup} /home/${user} \
-                            && ln --force -s /workdir /home/${user}/shared-workdir
-                            '');
+      useradd-string = (user: is-admin: ''
+        set +x # don't leak the hashed password
+        echo "creating user ${user}"
+        useradd \
+        -m \
+        ${if is-admin then "-G ${jupyterAdminGroup}" else ""} \
+        -p $(cat /pw/hashed-password-${user}) \
+        ${user} \
+        && chown -R ${user}:${jupyterAdminGroup} /home/${user} \
+        && ln --force -s /workdir /home/${user}/shared-workdir
+        set -x
+      '');
 
       create-all-users-script = (lib.strings.concatStringsSep "\n" (builtins.map (u: (useradd-string u.username u.isAdmin)) jupyterUsers));
         jupyterhub-config = pkgs.writeText "jupyterhub-config.py" ''