fix: use builtin.readFile for cloudflare IPs and add sha256

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
2024-10-06 00:03:58 +05:30 · 2024-10-06 00:03:58 +05:30 · 8e6c452854
commit 8e6c452854
parent 164acc1042
1 changed files with 9 additions and 3 deletions
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@ -55,12 +55,18 @@
              return 444;
            }
          ''
-          ++ lib.optionalString cfg.enableCloudflareRealIP ''
+          + lib.optionalString cfg.enableCloudflareRealIP ''
            ${lib.concatMapStrings (ip: "set_real_ip_from ${ip};\n")
              (lib.filter (line: line != "")
                (lib.splitString "\n" ''
-                  ${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v4/")}
-                  ${lib.readFile (lib.fetchurl "https://www.cloudflare.com/ips-v6/")}
+                  ${lib.readFile (builtins.fetchurl {
+                    url = "https://www.cloudflare.com/ips-v4/";
+                    sha256 = "sha256-8Cxtg7wBqwroV3Fg4DbXAMdFU1m84FTfiE5dfZ5Onns=";
+                  })}
+                  ${lib.readFile (builtins.fetchurl {
+                    url = "https://www.cloudflare.com/ips-v6/";
+                    sha256 = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk=";
+                  })}
                ''))}
            real_ip_header CF-Connecting-IP;
          '';