colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/acme: add allowKeysForGroup

Browse Source
This commit is contained in:
Nikolay Amiantov 2016-01-06 04:59:14 +03:00
parent ded1a55b8d
commit f92cec4c1b
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nixos/modules/security/acme.nix
View File

@ -37,6 +37,12 @@ let
description = "Group running the ACME client.";
};
allowKeysForGroup = mkOption {
type = types.bool;
default = false;
description = "Give read permissions to the specified group to read SSL private certificates.";
};
postRun = mkOption {
type = types.lines;
default = "";
@ -137,6 +143,7 @@ in
systemd.services = flip mapAttrs' cfg.certs (cert: data:
let
cpath = "${cfg.directory}/${cert}";
rights = if cfg.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
@ -159,9 +166,10 @@ in
preStart = ''
mkdir -p '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir -m 700 '${cpath}'
chown '${data.user}:${data.group}' '${cpath}'
mkdir '${cpath}'
fi
chmod ${rights} '${cpath}'
chown -R '${data.user}:${data.group}' '${cpath}'
'';
script = ''
cd '${cpath}'