diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-02-29 14:17:25 +0100 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-02-29 20:17:14 +0100 |
commit | 3575555fa8a15049bada8bf8e8ba68a3aba71419 (patch) | |
tree | fa0adcb6f6982147544642a556213a672c2297f5 /nixos | |
parent | 6602e9ad5bf196f7f7bef8368fd67a31fb1a1f52 (diff) | |
download | nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.gz nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.bz2 nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.lz nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.xz nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.zst nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.zip |
nixos/acme: apply chmod and ownership unconditionally
Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 238c18242c1..1cf167ba7a2 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -281,7 +281,7 @@ in lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; spath = "/var/lib/acme/.lego"; - rights = if data.allowKeysForGroup then "750" else "700"; + fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ] @@ -306,7 +306,7 @@ in Group = data.group; PrivateTmp = true; StateDirectory = "acme/.lego ${lpath}"; - StateDirectoryMode = rights; + StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; @@ -329,10 +329,11 @@ in cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem ln -s fullchain.pem cert.pem cat key.pem fullchain.pem > full.pem - chmod ${rights} *.pem - chown '${data.user}:${data.group}' *.pem fi + chmod ${fileMode} *.pem + chown '${data.user}:${data.group}' *.pem + ${data.postRun} ''; in @@ -374,7 +375,7 @@ in # Give key acme permissions chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem - chmod ${rights} "${apath}/"{key,fullchain,full}.pem + chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem ''; serviceConfig = { Type = "oneshot"; |