nixos/acme: apply chmod and ownership unconditionally

Also separate directory and file permissions so the certificate files don't end up with the executable bit. Fixes #81335
2024-11-28 18:03:04 +00:00 · 2020-02-29 14:17:25 +01:00 · 2020-02-29 14:17:25 +01:00 · 3575555fa8
commit 3575555fa8
parent 6602e9ad5b
1 changed files with 6 additions and 5 deletions
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -281,7 +281,7 @@ in
                lpath = "acme/${cert}";
                apath = "/var/lib/${lpath}";
                spath = "/var/lib/acme/.lego";
-                rights = if data.allowKeysForGroup then "750" else "700";
+                fileMode = if data.allowKeysForGroup then "640" else "600";
                globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
                          ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
                          ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
@ -306,7 +306,7 @@ in
                    Group = data.group;
                    PrivateTmp = true;
                    StateDirectory = "acme/.lego ${lpath}";
-                    StateDirectoryMode = rights;
+                    StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
                    WorkingDirectory = spath;
                    # Only try loading the credentialsFile if the dns challenge is enabled
                    EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
@ -329,10 +329,11 @@ in
                            cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
                            ln -s fullchain.pem cert.pem
                            cat key.pem fullchain.pem > full.pem
-                            chmod ${rights} *.pem
-                            chown '${data.user}:${data.group}' *.pem
                          fi

+                          chmod ${fileMode} *.pem
+                          chown '${data.user}:${data.group}' *.pem
+
                          ${data.postRun}
                        '';
                      in
@ -374,7 +375,7 @@ in

                      # Give key acme permissions
                      chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
-                      chmod ${rights} "${apath}/"{key,fullchain,full}.pem
+                      chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
                    '';
                  serviceConfig = {
                    Type = "oneshot";