nixos/acme: apply chmod and ownership unconditionally

Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
author: Martin Weinelt <hexa@darmstadt.ccc.de> 2020-02-29 14:17:25 +0100
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2020-02-29 20:17:14 +0100
commit: 3575555fa8a15049bada8bf8e8ba68a3aba71419 (patch)
tree: fa0adcb6f6982147544642a556213a672c2297f5 /nixos
parent: 6602e9ad5bf196f7f7bef8368fd67a31fb1a1f52 (diff)
download: nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar
nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.gz
nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.bz2
nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.lz
nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.xz
nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.zst
nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.zip
1 files changed, 6 insertions, 5 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 238c18242c1..1cf167ba7a2 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -281,7 +281,7 @@ in
                 lpath = "acme/${cert}";
                 apath = "/var/lib/${lpath}";
                 spath = "/var/lib/acme/.lego";
-                rights = if data.allowKeysForGroup then "750" else "700";
+                fileMode = if data.allowKeysForGroup then "640" else "600";
                 globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
                           ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
                           ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
@@ -306,7 +306,7 @@ in
                     Group = data.group;
                     PrivateTmp = true;
                     StateDirectory = "acme/.lego ${lpath}";
-                    StateDirectoryMode = rights;
+                    StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
                     WorkingDirectory = spath;
                     # Only try loading the credentialsFile if the dns challenge is enabled
                     EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
@@ -329,10 +329,11 @@ in
                             cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
                             ln -s fullchain.pem cert.pem
                             cat key.pem fullchain.pem > full.pem
-                            chmod ${rights} *.pem
-                            chown '${data.user}:${data.group}' *.pem
                           fi
 
+                          chmod ${fileMode} *.pem
+                          chown '${data.user}:${data.group}' *.pem
+
                           ${data.postRun}
                         '';
                       in
@@ -374,7 +375,7 @@ in
 
                       # Give key acme permissions
                       chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
-                      chmod ${rights} "${apath}/"{key,fullchain,full}.pem
+                      chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
                     '';
                   serviceConfig = {
                     Type = "oneshot";
author	Martin Weinelt <hexa@darmstadt.ccc.de>	2020-02-29 14:17:25 +0100
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2020-02-29 20:17:14 +0100
commit	3575555fa8a15049bada8bf8e8ba68a3aba71419 (patch)
tree	fa0adcb6f6982147544642a556213a672c2297f5 /nixos
parent	6602e9ad5bf196f7f7bef8368fd67a31fb1a1f52 (diff)
download	nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.gz nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.bz2 nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.lz nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.xz nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.tar.zst nixpkgs-3575555fa8a15049bada8bf8e8ba68a3aba71419.zip