modularize the secrets-permissions module
This commit is contained in:
parent
73fe36e68d
commit
b2c7f7be27
2 changed files with 28 additions and 31 deletions
|
@ -1,24 +1,37 @@
|
||||||
# This module enforces permissions on secrets stored on the machines.
|
# This module enforces permissions on secrets stored on the machines.
|
||||||
|
|
||||||
{ config, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.custom.secrets;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
system.activationScripts."secrets-permissions" = ''
|
options.custom.secrets = {
|
||||||
# Default to restrictive permissions on secrets.
|
extraCommands = mkOption {
|
||||||
# Root can alway read/write/traverse directories no matter the permissions
|
default = "";
|
||||||
# set.
|
type = types.lines;
|
||||||
|
description = lib.mdDoc "extra commands to populate /etc/secrets";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
mkdir -p /etc/secrets
|
config = {
|
||||||
|
system.activationScripts."secrets-permissions" = ''
|
||||||
|
# Default to restrictive permissions on secrets.
|
||||||
|
# Root can alway read/write/traverse directories no matter the permissions
|
||||||
|
# set.
|
||||||
|
|
||||||
chown --recursive root:root /etc/secrets
|
mkdir -p /etc/secrets
|
||||||
chmod --recursive 600 /etc/secrets
|
|
||||||
|
|
||||||
# Relax permissions on some secrets.
|
chown --recursive root:root /etc/secrets
|
||||||
|
chmod --recursive 600 /etc/secrets
|
||||||
|
|
||||||
# The top directory must be readable and traversable by thoses who need to
|
# Relax permissions on some secrets.
|
||||||
# access secrets.
|
|
||||||
chmod 755 /etc/secrets
|
|
||||||
|
|
||||||
# ... add chowns & chmods to specific users/groups when needed
|
# The top directory must be readable and traversable by thoses who need to
|
||||||
'';
|
# access secrets.
|
||||||
|
chmod 755 /etc/secrets
|
||||||
|
'' + cfg.extraCommands;
|
||||||
|
};
|
||||||
}
|
}
|
|
@ -922,24 +922,8 @@ dovecot_plain:
|
||||||
group = config.services.exim.group;
|
group = config.services.exim.group;
|
||||||
};
|
};
|
||||||
|
|
||||||
# FIXME
|
|
||||||
environment.systemPackages = [ pkgs.acl ];
|
environment.systemPackages = [ pkgs.acl ];
|
||||||
system.activationScripts."secrets-permissions" = lib.mkForce ''
|
custom.secrets.extraCommands = ''
|
||||||
# Default to restrictive permissions on secrets.
|
|
||||||
# Root can alway read/write/traverse directories no matter the permissions
|
|
||||||
# set.
|
|
||||||
|
|
||||||
mkdir -p /etc/secrets
|
|
||||||
|
|
||||||
chown --recursive root:root /etc/secrets
|
|
||||||
chmod --recursive 600 /etc/secrets
|
|
||||||
|
|
||||||
# Relax permissions on some secrets.
|
|
||||||
|
|
||||||
# The top directory must be readable and traversable by thoses who need to
|
|
||||||
# access secrets.
|
|
||||||
chmod 755 /etc/secrets
|
|
||||||
|
|
||||||
mkdir -p /etc/secrets/exim/virtual
|
mkdir -p /etc/secrets/exim/virtual
|
||||||
mkdir -p /etc/secrets/exim/domains
|
mkdir -p /etc/secrets/exim/domains
|
||||||
chmod 700 /etc/secrets/exim
|
chmod 700 /etc/secrets/exim
|
||||||
|
|
Loading…
Reference in a new issue