From d0ab6179746335e17e82b81e7056374834d54f57 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Mon, 11 Apr 2016 22:59:30 +0200
Subject: nixos/taskserver: Constrain server cert perms

It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/modules/services/misc/taskserver/default.nix | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'nixos/modules')

diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index 7e993627cec..b0e05340e3b 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -388,9 +388,13 @@ in {
             --load-privkey "${cfg.dataDir}/keys/server.key" \
             --outfile "${cfg.dataDir}/keys/server.cert"
 
-          chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.key"
-          chmod g+r "${cfg.dataDir}/keys/server.key"
-          chmod a+r "${cfg.dataDir}/keys/server.cert"
+          chgrp "${cfg.group}" \
+            "${cfg.dataDir}/keys/server.key" \
+            "${cfg.dataDir}/keys/server.cert"
+
+          chmod g+r \
+            "${cfg.dataDir}/keys/server.key" \
+            "${cfg.dataDir}/keys/server.cert"
         fi
 
         chmod go+x "${cfg.dataDir}/keys"
-- 
cgit 1.4.1