public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #12283 from abbradar/acme-allowgroup 

nixos/acme: add allowKeysForGroup
This commit is contained in:
Pascal Wittmann 2016-01-11 07:45:49 +01:00
parent 009f944b9f f92cec4c1b
commit 0d21ba2361
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nixos/modules/security/acme.nix
View File

@ -37,6 +37,12 @@ let
description = "Group running the ACME client."; description = "Group running the ACME client.";
}; };
allowKeysForGroup = mkOption {
type = types.bool;
default = false;
description = "Give read permissions to the specified group to read SSL private certificates.";
};
postRun = mkOption { postRun = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -137,6 +143,7 @@ in
systemd.services = flip mapAttrs' cfg.certs (cert: data: systemd.services = flip mapAttrs' cfg.certs (cert: data:
let let
cpath = "${cfg.directory}/${cert}"; cpath = "${cfg.directory}/${cert}";
rights = if cfg.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ] cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ] ++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins ++ concatMap (p: [ "-f" p ]) data.plugins
@ -159,9 +166,10 @@ in
preStart = '' preStart = ''
mkdir -p '${cfg.directory}' mkdir -p '${cfg.directory}'
if [ ! -d '${cpath}' ]; then if [ ! -d '${cpath}' ]; then
mkdir -m 700 '${cpath}' mkdir '${cpath}'
chown '${data.user}:${data.group}' '${cpath}'
fi fi
chmod ${rights} '${cpath}'
chown -R '${data.user}:${data.group}' '${cpath}'
''; '';
script = '' script = ''
cd '${cpath}' cd '${cpath}'