nixos/taskserver: Constrain server cert perms

It doesn't do much harm to make the server certificate world readable, because even though it's not accessible anymore via the file system, someone can still get it by simply doing a TLS handshake with the server. So this is solely for consistency. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:59:30 +02:00 · 2016-04-11 22:59:30 +02:00 · d0ab617974
commit d0ab617974
parent 6e10705754
1 changed files with 7 additions and 3 deletions
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@ -388,9 +388,13 @@ in {
            --load-privkey "${cfg.dataDir}/keys/server.key" \
            --outfile "${cfg.dataDir}/keys/server.cert"

-          chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.key"
-          chmod g+r "${cfg.dataDir}/keys/server.key"
-          chmod a+r "${cfg.dataDir}/keys/server.cert"
+          chgrp "${cfg.group}" \
+            "${cfg.dataDir}/keys/server.key" \
+            "${cfg.dataDir}/keys/server.cert"
+
+          chmod g+r \
+            "${cfg.dataDir}/keys/server.key" \
+            "${cfg.dataDir}/keys/server.cert"
        fi

        chmod go+x "${cfg.dataDir}/keys"