diff options
author | Moritz Hedtke <Moritz.Hedtke@t-online.de> | 2021-12-15 20:27:18 +0100 |
---|---|---|
committer | Moritz Hedtke <Moritz.Hedtke@t-online.de> | 2021-12-15 20:42:00 +0100 |
commit | 116ae00e73d78e723b813b8872553c68cbcb1dac (patch) | |
tree | 5aef4b6dd5b4bc68a51f060fa6ad7e4d1cfc2371 /nixos/modules/services/security | |
parent | a2e281f5770247855b85d70c43454ba5bff34613 (diff) | |
download | nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.tar nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.tar.gz nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.tar.bz2 nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.tar.lz nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.tar.xz nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.tar.zst nixpkgs-116ae00e73d78e723b813b8872553c68cbcb1dac.zip |
nixos/step-ca: create a step-ca user
This allows you to create the certificate files owned by that user so the service can read them.
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r-- | nixos/modules/services/security/step-ca.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index 27b2ceed1a4..bfb29fbc6c1 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -108,6 +108,9 @@ in ConditionFileNotEmpty = ""; # override upstream }; serviceConfig = { + User = "step-ca"; + Group = "step-ca"; + UMask = "0077"; Environment = "HOME=%S/step-ca"; WorkingDirectory = ""; # override upstream ReadWriteDirectories = ""; # override upstream @@ -129,6 +132,14 @@ in }; }; + users.users.step-ca = { + home = "/var/lib/step-ca"; + group = "step-ca"; + isSystemUser = true; + }; + + users.groups.step-ca = {}; + networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; |