movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
Code Activity
nixpkgs/nixos/modules/security/acme/mk-cert-ownership-assertion.nix
ThinkChaos 3c2e82337d
nixos/web-servers: assert ACME cert access via service user and groups 
Allows giving access using SupplementaryGroups.
2024-11-07 20:19:12 -05:00

21 lines
669 B
Nix
Raw Blame History

lib:
{ cert, groups, services }:
let
catSep = builtins.concatStringsSep;
svcGroups = svc:
(lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group)
++ (svc.serviceConfig.SupplementaryGroups or [ ]);
in
{
assertion = builtins.all (svc:
svc.serviceConfig.User or "root" == "root"
|| builtins.elem svc.serviceConfig.User groups.${cert.group}.members
|| builtins.elem cert.group (svcGroups svc)
) services;
message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services)
}";
}
View git blame Copy permalink