diff options
| author | aszlig <aszlig@redmoonstudios.org> | 2016-04-11 22:59:30 +0200 |
|---|---|---|
| committer | aszlig <aszlig@redmoonstudios.org> | 2016-04-11 22:59:30 +0200 |
| commit | d0ab6179746335e17e82b81e7056374834d54f57 (patch) | |
| tree | a98d9d1d66308d1953d07e7ad2e5058e51c74a61 /nixos/modules | |
| parent | 6e10705754a790bcd44d1f46dfb629678750bb9b (diff) | |
| download | nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.tar nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.tar.gz nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.tar.bz2 nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.tar.lz nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.tar.xz nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.tar.zst nixpkgs-d0ab6179746335e17e82b81e7056374834d54f57.zip | |
nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable, because even though it's not accessible anymore via the file system, someone can still get it by simply doing a TLS handshake with the server. So this is solely for consistency. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 7e993627cec..b0e05340e3b 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -388,9 +388,13 @@ in { --load-privkey "${cfg.dataDir}/keys/server.key" \ --outfile "${cfg.dataDir}/keys/server.cert" - chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.key" - chmod g+r "${cfg.dataDir}/keys/server.key" - chmod a+r "${cfg.dataDir}/keys/server.cert" + chgrp "${cfg.group}" \ + "${cfg.dataDir}/keys/server.key" \ + "${cfg.dataDir}/keys/server.cert" + + chmod g+r \ + "${cfg.dataDir}/keys/server.key" \ + "${cfg.dataDir}/keys/server.cert" fi chmod go+x "${cfg.dataDir}/keys" |