gogs service: chmod 440 config file

Directory which contains the config file /var/lib/gogs already
has mode 700 but users are liable to change these things.

1 files changed, 6 insertions, 3 deletions

diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix
index f0aff430305..76e6254856b 100644
--- a/nixos/modules/services/misc/gogs.nix
+++ b/nixos/modules/services/misc/gogs.nix
@@ -178,16 +178,19 @@ in
       wantedBy = [ "multi-user.target" ];
       path = [ pkgs.gogs.bin ];
 
-      preStart = ''
+      preStart = let
+        runConfig = "${cfg.stateDir}/custom/conf/app.ini";
+      in ''
         # copy custom configuration and generate a random secret key if needed
         ${optionalString (cfg.useWizard == false) ''
           mkdir -p ${cfg.stateDir}/custom/conf
-          cp -f ${configFile} ${cfg.stateDir}/custom/conf/app.ini
+          cp -f ${configFile} ${runConfig}
           KEY=$(head -c 16 /dev/urandom | base64)
           DBPASS=$(head -n1 ${cfg.database.passwordFile})
           sed -e "s,#secretkey#,$KEY,g" \
               -e "s,#dbpass#,$DBPASS,g" \
-              -i ${cfg.stateDir}/custom/conf/app.ini
+              -i ${runConfig}
+          chmod 440 ${runConfig}
         ''}
 
         mkdir -p ${cfg.repositoryRoot}