modularize the secrets-permissions module

This commit is contained in:
root 2024-06-28 21:06:04 +02:00
parent 73fe36e68d
commit b2c7f7be27
2 changed files with 28 additions and 31 deletions

View file

@ -1,24 +1,37 @@
# This module enforces permissions on secrets stored on the machines. # This module enforces permissions on secrets stored on the machines.
{ config, ... }: { config, lib, ... }:
with lib;
let
cfg = config.custom.secrets;
in
{ {
system.activationScripts."secrets-permissions" = '' options.custom.secrets = {
# Default to restrictive permissions on secrets. extraCommands = mkOption {
# Root can alway read/write/traverse directories no matter the permissions default = "";
# set. type = types.lines;
description = lib.mdDoc "extra commands to populate /etc/secrets";
};
};
mkdir -p /etc/secrets config = {
system.activationScripts."secrets-permissions" = ''
# Default to restrictive permissions on secrets.
# Root can alway read/write/traverse directories no matter the permissions
# set.
chown --recursive root:root /etc/secrets mkdir -p /etc/secrets
chmod --recursive 600 /etc/secrets
# Relax permissions on some secrets. chown --recursive root:root /etc/secrets
chmod --recursive 600 /etc/secrets
# The top directory must be readable and traversable by thoses who need to # Relax permissions on some secrets.
# access secrets.
chmod 755 /etc/secrets
# ... add chowns & chmods to specific users/groups when needed # The top directory must be readable and traversable by thoses who need to
''; # access secrets.
chmod 755 /etc/secrets
'' + cfg.extraCommands;
};
} }

View file

@ -922,24 +922,8 @@ dovecot_plain:
group = config.services.exim.group; group = config.services.exim.group;
}; };
# FIXME
environment.systemPackages = [ pkgs.acl ]; environment.systemPackages = [ pkgs.acl ];
system.activationScripts."secrets-permissions" = lib.mkForce '' custom.secrets.extraCommands = ''
# Default to restrictive permissions on secrets.
# Root can alway read/write/traverse directories no matter the permissions
# set.
mkdir -p /etc/secrets
chown --recursive root:root /etc/secrets
chmod --recursive 600 /etc/secrets
# Relax permissions on some secrets.
# The top directory must be readable and traversable by thoses who need to
# access secrets.
chmod 755 /etc/secrets
mkdir -p /etc/secrets/exim/virtual mkdir -p /etc/secrets/exim/virtual
mkdir -p /etc/secrets/exim/domains mkdir -p /etc/secrets/exim/domains
chmod 700 /etc/secrets/exim chmod 700 /etc/secrets/exim