nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-20 02:55:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

security/acme: shellcheck fixes

Browse Source
This commit is contained in:
phaer 2024-05-14 00:01:18 +02:00 committed by r-vdp
parent c8e710a315
commit 22794b93e0
No known key found for this signature in database
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nixos/modules/security/acme/default.nix
View File

@ -166,7 +166,7 @@ let
# ensure all required lock files exist, but none more
script = ''
GLOBIGNORE="${lib.concatStringsSep ":" concurrencyLockfiles}"
rm -f *
rm -f -- *
unset GLOBIGNORE
xargs touch <<< "${toString concurrencyLockfiles}"
@ -323,11 +323,11 @@ let
cat key.pem fullchain.pem > full.pem
# Group might change between runs, re-apply it
chown '${user}:${data.group}' *
chown '${user}:${data.group}' -- *
# Default permissions make the files unreadable by group + anon
# Need to be readable by group
chmod 640 *
chmod 640 -- *
'';
};
@ -410,7 +410,7 @@ let
expiration_line="$(
set -euxo pipefail
openssl x509 -noout -enddate <$pem \
openssl x509 -noout -enddate <"$pem" \
| grep notAfter \
| sed -e 's/^notAfter=//'
)"
@ -418,8 +418,8 @@ let
expiration_date="$(date -d "$expiration_line" +%s)"
now="$(date +%s)"
expiration_s=$[expiration_date - now]
expiration_days=$[expiration_s / (3600 * 24)] # rounds down
expiration_s=$((expiration_date - now))
expiration_days=$((expiration_s / (3600 * 24))) # rounds down
[[ $expiration_days -gt ${toString data.validMinDays} ]]
}
@ -441,7 +441,7 @@ let
# Check if we can renew.
# We can only renew if the list of domains has not changed.
# We also need an account key. Avoids #190493
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(find accounts -name '${data.email}.key')" ]; then
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then
# Even if a cert is not expired, it may be revoked by the CA.
# Try to renew, and silently fail if the cert is not expired.