diff options
author | Silvan Mosberger <contact@infinisil.com> | 2020-03-07 03:24:46 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-07 03:24:46 +0100 |
commit | 4f69262c190845ca36de255e857d8b54e2faf4b4 (patch) | |
tree | ddffae07e1b6bd5d435bc86595d81dc70fc0c784 /nixos | |
parent | a985982db6313cceb799cfa1f3a4ba5d5e6029cc (diff) | |
parent | 3575555fa8a15049bada8bf8e8ba68a3aba71419 (diff) | |
download | nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.tar nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.tar.gz nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.tar.bz2 nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.tar.lz nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.tar.xz nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.tar.zst nixpkgs-4f69262c190845ca36de255e857d8b54e2faf4b4.zip |
Merge pull request #81369 from mweinelt/pr/acme-chmod
nixos/acme: apply chmod and ownership unconditionally
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/acme.nix | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 4c7f0ee657c..b787a767539 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -302,7 +302,7 @@ in lpath = "acme/${cert}"; apath = "/var/lib/${lpath}"; spath = "/var/lib/acme/.lego"; - rights = if data.allowKeysForGroup then "750" else "700"; + fileMode = if data.allowKeysForGroup then "640" else "600"; globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ] ++ optionals (cfg.acceptTerms) [ "--accept-tos" ] ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ] @@ -331,7 +331,7 @@ in Group = data.group; PrivateTmp = true; StateDirectory = "acme/.lego ${lpath}"; - StateDirectoryMode = rights; + StateDirectoryMode = if data.allowKeysForGroup then "750" else "700"; WorkingDirectory = spath; # Only try loading the credentialsFile if the dns challenge is enabled EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null; @@ -354,10 +354,11 @@ in cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem ln -sf fullchain.pem cert.pem cat key.pem fullchain.pem > full.pem - chmod ${rights} *.pem - chown '${data.user}:${data.group}' *.pem fi + chmod ${fileMode} *.pem + chown '${data.user}:${data.group}' *.pem + ${data.postRun} ''; in @@ -399,7 +400,7 @@ in # Give key acme permissions chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem - chmod ${rights} "${apath}/"{key,fullchain,full}.pem + chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem ''; serviceConfig = { Type = "oneshot"; |