From dcf64f03fbf511ec493059445c66cf196c407abc Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <asf@boinkor.net>
Date: Wed, 30 Oct 2024 11:19:10 -0400
Subject: [PATCH] Validate generated config file in the nixos module

This uses the usual pkgs.runCommand pattern to ensure that no
non-parseable config files can make it to the command line.
---
 nix/modules/default/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix
index d2efa327..d29a7f1f 100644
--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@@ -11,6 +11,10 @@ let
 
   cfg = config.services.grapevine;
   configFile = format.generate "config.toml" cfg.settings;
+  validateConfig = file: pkgs.runCommand "grapevine-checked-config" {} ''
+    ${lib.getExe cfg.package} check-config -c ${lib.escapeShellArg file}
+    ln -s ${lib.escapeShellArg file} "$out"
+  '';
   format = pkgs.formats.toml {};
 in
 
@@ -79,7 +83,7 @@ in
       # Keep sorted
       serviceConfig = {
         DynamicUser = true;
-        ExecStart = "${lib.getExe cfg.package} serve --config ${configFile}";
+        ExecStart = "${lib.getExe cfg.package} serve --config ${validateConfig configFile}";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         PrivateDevices = true;