security/confidentiality: secrets are stored in environment variables

[ju1m]

Describe the bug
bonfire requires to store secrets directly into envvars, instead of reading them from files (whose paths can be stored into envvars).

systemd's documentation explains the problem well:

Note that environment variables are not suitable for passing secrets (such as passwords, key material, …) to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover, environment variables are propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and hence might leak to processes that should not have access to the secret data. Use LoadCredential=, LoadCredentialEncrypted= or SetCredentialEncrypted= (see below) to pass data to unit processes securely.

To Reproduce

Expected behavior
Secrets must be passed through files without their content ever going into the environment or command args.
Here's a list to consider for problematic envvars:

• RELEASE_COOKIE, in _build/prod/rel/bonfire/bin/bonfire passed to elixir through command args --cookie $RELEASE_COOKIE then passed to erl through -setcookie $RELEASE_COOKIE which sadly disables reading it from $HOME/.erlang.cookie or $XDG_CONFIG_HOME/erlang/.erlang.cookie:

https://github.com/erlang/otp/blob/6db81aacec54a014a5487d4a97eaaade06c73545/lib/kernel/src/auth.erl#L345-L352

So apparently the only workaround for that envvar is to call elixir directly without using _build/prod/rel/bonfire/bin/bonfire.

• ERLANG_COOKIE, looks like an alternative RELEASE_COOKIE specific to justfile, different from _build/prod/rel/bonfire/releases/COOKIE , apparently not used when MIX_ENV=prod
• SECRET_KEY_BASE
• SIGNING_SALT
• ENCRYPTION_SALT
• MAIL_KEY
• UPLOADS_S3_ACCESS_KEY_ID
• MAIL_PASSWORD
• MEILI_MASTER_KEY
• MAPBOX_API_KEY
• POSTGRES_PASSWORD
• ZENODO_CLIENT_ID
• ZENODO_CLIENT_SECRET
• ORCID_CLIENT_ID
• ORCID_CLIENT_SECRET
• PIRATE_WEATHER_API
• OTEL_LIGHTSTEP_API_KEY
• OTEL_HONEYCOMB_API_KEY
• APPSIGNAL_PUSH_API_KEY
• OPEN_WEATHER_MAP_API_KEY
• DATABASE_URL, can contain the PostgreSQL password.
• AKISMET_API_KEY
• WEB_PUSH_PRIVATE_KEY
• GITHUB_TOKEN
• TX_TOKEN
• GITHUB_CLIENT_SECRET
• UPLOADS_S3_SECRET_ACCESS_KEY

Bonfire environment (please complete the following information):

• Running env: prod
• Running with Co-op Cloud and/or Docker?: none
• Running version (check on your instance's sidebar): 1.0.0
• Running flavour: social
• Running any extra/forked extensions:

Client device (please complete the following information):

• Device:
• OS: NixOS
• Browser
• Browser Version

Additional context
nix/module.nix uses EnvironmentFile= to avoid a bigger problem (the secrets would go into the Nix store in clear with Environment=):

bonfire-app/nix/module.nix

Lines 40 to 52 in 43fae54

	environmentFile = mkOption {
	type = types.nullOr types.path;
	default = null;
	description = ''
	environment file for secret environment variables
	should contain
	SECRET_KEY_BASE
	SIGNING_SALT
	ENCRYPTION_SALT
	RELEASE_COOKIE
	'';
	};
	};

but the secrets still end up into the processes' environment.
The secrets must instead be loaded from files (passed to the processes with LoadCredential=/LoadEncryptedCredential= in the case of systemd).