nixpkgs/nixos/modules/security/acme/mk-cert-ownership-assertion.nix

lib:

{
  cert,
  groups,
  services,
}:
let
  catSep = builtins.concatStringsSep;

  svcUser = svc: svc.serviceConfig.User or "root";
  svcGroups =
    svc:
    (lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group)
    ++ lib.toList (svc.serviceConfig.SupplementaryGroups or [ ]);
in
{
  assertion = builtins.all (
    svc:
    svcUser svc == "root"
    || builtins.elem (svcUser svc) groups.${cert.group}.members
    || builtins.elem cert.group (svcGroups svc)
  ) services;

  message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
    catSep ", " (
      map (svc: "${svc.name} (user=${svcUser svc} groups=${catSep "," (svcGroups svc)})") services
    )
  }";
}
nixos/web-servers: assert ACME cert access via service user and groups Allows giving access using SupplementaryGroups. 2024-08-24 19:18:07 -04:00			`lib:`

treewide: Format all Nix files Format all Nix files using the officially approved formatter, making the CI check introduced in the previous commit succeed: nix-build ci -A fmt.check This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153) of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166). This commit will lead to merge conflicts for a number of PRs, up to an estimated ~1100 (~33%) among the PRs with activity in the past 2 months, but that should be lower than what it would be without the previous [partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537). Merge conflicts caused by this commit can now automatically be resolved while rebasing using the [auto-rebase script](https://github.com/NixOS/nixpkgs/tree/8616af08d915377bd930395f3b700a0e93d08728/maintainers/scripts/auto-rebase). If you run into any problems regarding any of this, please reach out to the [formatting team](https://nixos.org/community/teams/formatting/) by pinging @NixOS/nix-formatting. 2025-04-01 20:10:43 +02:00			`{`
			`cert,`
			`groups,`
			`services,`
			`}:`
nixos/web-servers: assert ACME cert access via service user and groups Allows giving access using SupplementaryGroups. 2024-08-24 19:18:07 -04:00			`let`
			`catSep = builtins.concatStringsSep;`

nixos/acme: fix cert ownership assert message Handle the case where a service has no `User` defined in the message in addition to the assertion itself. 2024-12-05 20:15:25 -05:00			`svcUser = svc: svc.serviceConfig.User or "root";`
treewide: Format all Nix files Format all Nix files using the officially approved formatter, making the CI check introduced in the previous commit succeed: nix-build ci -A fmt.check This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153) of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166). This commit will lead to merge conflicts for a number of PRs, up to an estimated ~1100 (~33%) among the PRs with activity in the past 2 months, but that should be lower than what it would be without the previous [partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537). Merge conflicts caused by this commit can now automatically be resolved while rebasing using the [auto-rebase script](https://github.com/NixOS/nixpkgs/tree/8616af08d915377bd930395f3b700a0e93d08728/maintainers/scripts/auto-rebase). If you run into any problems regarding any of this, please reach out to the [formatting team](https://nixos.org/community/teams/formatting/) by pinging @NixOS/nix-formatting. 2025-04-01 20:10:43 +02:00			`svcGroups =`
			`svc:`
nixos/web-servers: assert ACME cert access via service user and groups Allows giving access using SupplementaryGroups. 2024-08-24 19:18:07 -04:00			`(lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group)`
nixos/acme: fix cert ownership assert for string `SupplementaryGroups` 2024-11-14 19:19:46 -05:00			`++ lib.toList (svc.serviceConfig.SupplementaryGroups or [ ]);`
nixos/web-servers: assert ACME cert access via service user and groups Allows giving access using SupplementaryGroups. 2024-08-24 19:18:07 -04:00			`in`
			`{`
treewide: Format all Nix files Format all Nix files using the officially approved formatter, making the CI check introduced in the previous commit succeed: nix-build ci -A fmt.check This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153) of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166). This commit will lead to merge conflicts for a number of PRs, up to an estimated ~1100 (~33%) among the PRs with activity in the past 2 months, but that should be lower than what it would be without the previous [partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537). Merge conflicts caused by this commit can now automatically be resolved while rebasing using the [auto-rebase script](https://github.com/NixOS/nixpkgs/tree/8616af08d915377bd930395f3b700a0e93d08728/maintainers/scripts/auto-rebase). If you run into any problems regarding any of this, please reach out to the [formatting team](https://nixos.org/community/teams/formatting/) by pinging @NixOS/nix-formatting. 2025-04-01 20:10:43 +02:00			`assertion = builtins.all (`
			`svc:`
nixos/acme: fix cert ownership assert message Handle the case where a service has no `User` defined in the message in addition to the assertion itself. 2024-12-05 20:15:25 -05:00			`svcUser svc == "root"`
			`\|\| builtins.elem (svcUser svc) groups.${cert.group}.members`
nixos/web-servers: assert ACME cert access via service user and groups Allows giving access using SupplementaryGroups. 2024-08-24 19:18:07 -04:00			`\|\| builtins.elem cert.group (svcGroups svc)`
			`) services;`

			`message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${`
treewide: Format all Nix files Format all Nix files using the officially approved formatter, making the CI check introduced in the previous commit succeed: nix-build ci -A fmt.check This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153) of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166). This commit will lead to merge conflicts for a number of PRs, up to an estimated ~1100 (~33%) among the PRs with activity in the past 2 months, but that should be lower than what it would be without the previous [partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537). Merge conflicts caused by this commit can now automatically be resolved while rebasing using the [auto-rebase script](https://github.com/NixOS/nixpkgs/tree/8616af08d915377bd930395f3b700a0e93d08728/maintainers/scripts/auto-rebase). If you run into any problems regarding any of this, please reach out to the [formatting team](https://nixos.org/community/teams/formatting/) by pinging @NixOS/nix-formatting. 2025-04-01 20:10:43 +02:00			`catSep ", " (`
			`map (svc: "${svc.name} (user=${svcUser svc} groups=${catSep "," (svcGroups svc)})") services`
			`)`
nixos/web-servers: assert ACME cert access via service user and groups Allows giving access using SupplementaryGroups. 2024-08-24 19:18:07 -04:00			`}";`
nixos/acme: ensure web servers using certs can access them 2022-01-08 15:05:34 -05:00			`}`