diff options
author | Pascal Wittmann <PascalWittmann@gmx.net> | 2016-01-11 07:45:49 +0100 |
---|---|---|
committer | Pascal Wittmann <PascalWittmann@gmx.net> | 2016-01-11 07:45:49 +0100 |
commit | 0d21ba236166fad7815f751101ac0605382732dd (patch) | |
tree | 45d72291dfee4cba66a50d1951edc1b2a9e0ba55 /nixos | |
parent | 009f944b9f5ff26c75b1cdd35acaa0572043482c (diff) | |
parent | f92cec4c1bf6406cb26f420e57f8ab77e3351752 (diff) | |
download | nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.tar nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.tar.gz nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.tar.bz2 nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.tar.lz nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.tar.xz nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.tar.zst nixpkgs-0d21ba236166fad7815f751101ac0605382732dd.zip |
Merge pull request #12283 from abbradar/acme-allowgroup
nixos/acme: add allowKeysForGroup
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 2de57dd68cb..a2806973a35 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -37,6 +37,12 @@ let description = "Group running the ACME client."; }; + allowKeysForGroup = mkOption { + type = types.bool; + default = false; + description = "Give read permissions to the specified group to read SSL private certificates."; + }; + postRun = mkOption { type = types.lines; default = ""; @@ -137,6 +143,7 @@ in systemd.services = flip mapAttrs' cfg.certs (cert: data: let cpath = "${cfg.directory}/${cert}"; + rights = if cfg.allowKeysForGroup then "750" else "700"; cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ] ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins @@ -159,9 +166,10 @@ in preStart = '' mkdir -p '${cfg.directory}' if [ ! -d '${cpath}' ]; then - mkdir -m 700 '${cpath}' - chown '${data.user}:${data.group}' '${cpath}' + mkdir '${cpath}' fi + chmod ${rights} '${cpath}' + chown -R '${data.user}:${data.group}' '${cpath}' ''; script = '' cd '${cpath}' |