From 1e8e314fdb1e5841f40e0ba6810465d9b1d2255c Mon Sep 17 00:00:00 2001 From: ThinkChaos Date: Thu, 5 Dec 2024 20:15:25 -0500 Subject: [PATCH] nixos/acme: fix cert ownership assert message Handle the case where a service has no `User` defined in the message in addition to the assertion itself. --- .../modules/security/acme/mk-cert-ownership-assertion.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/acme/mk-cert-ownership-assertion.nix b/nixos/modules/security/acme/mk-cert-ownership-assertion.nix index 0339d7920ad9..64a783331656 100644 --- a/nixos/modules/security/acme/mk-cert-ownership-assertion.nix +++ b/nixos/modules/security/acme/mk-cert-ownership-assertion.nix @@ -4,18 +4,19 @@ lib: let catSep = builtins.concatStringsSep; + svcUser = svc: svc.serviceConfig.User or "root"; svcGroups = svc: (lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group) ++ lib.toList (svc.serviceConfig.SupplementaryGroups or [ ]); in { assertion = builtins.all (svc: - svc.serviceConfig.User or "root" == "root" - || builtins.elem svc.serviceConfig.User groups.${cert.group}.members + svcUser svc == "root" + || builtins.elem (svcUser svc) groups.${cert.group}.members || builtins.elem cert.group (svcGroups svc) ) services; message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${ - catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services) + catSep ", " (map (svc: "${svc.name} (user=${svcUser svc} groups=${catSep "," (svcGroups svc)})") services) }"; }