modularize the secrets-permissions module
This commit is contained in:
root
parent
73fe36e68d
commit
b2c7f7be27
2 changed files with 28 additions and 31 deletions
|
|
@ -1,24 +1,37 @@
|
|||
# This module enforces permissions on secrets stored on the machines.
|
||||
|
||||
{ config, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.custom.secrets;
|
||||
in
|
||||
{
|
||||
system.activationScripts."secrets-permissions" = ''
|
||||
# Default to restrictive permissions on secrets.
|
||||
# Root can alway read/write/traverse directories no matter the permissions
|
||||
# set.
|
||||
options.custom.secrets = {
|
||||
extraCommands = mkOption {
|
||||
default = "";
|
||||
type = types.lines;
|
||||
description = lib.mdDoc "extra commands to populate /etc/secrets";
|
||||
};
|
||||
};
|
||||
|
||||
mkdir -p /etc/secrets
|
||||
config = {
|
||||
system.activationScripts."secrets-permissions" = ''
|
||||
# Default to restrictive permissions on secrets.
|
||||
# Root can alway read/write/traverse directories no matter the permissions
|
||||
# set.
|
||||
|
||||
chown --recursive root:root /etc/secrets
|
||||
chmod --recursive 600 /etc/secrets
|
||||
mkdir -p /etc/secrets
|
||||
|
||||
# Relax permissions on some secrets.
|
||||
chown --recursive root:root /etc/secrets
|
||||
chmod --recursive 600 /etc/secrets
|
||||
|
||||
# The top directory must be readable and traversable by thoses who need to
|
||||
# access secrets.
|
||||
chmod 755 /etc/secrets
|
||||
# Relax permissions on some secrets.
|
||||
|
||||
# ... add chowns & chmods to specific users/groups when needed
|
||||
'';
|
||||
# The top directory must be readable and traversable by thoses who need to
|
||||
# access secrets.
|
||||
chmod 755 /etc/secrets
|
||||
'' + cfg.extraCommands;
|
||||
};
|
||||
}
|
||||
|
|
@ -922,24 +922,8 @@ dovecot_plain:
|
|||
group = config.services.exim.group;
|
||||
};
|
||||
|
||||
# FIXME
|
||||
environment.systemPackages = [ pkgs.acl ];
|
||||
system.activationScripts."secrets-permissions" = lib.mkForce ''
|
||||
# Default to restrictive permissions on secrets.
|
||||
# Root can alway read/write/traverse directories no matter the permissions
|
||||
# set.
|
||||
|
||||
mkdir -p /etc/secrets
|
||||
|
||||
chown --recursive root:root /etc/secrets
|
||||
chmod --recursive 600 /etc/secrets
|
||||
|
||||
# Relax permissions on some secrets.
|
||||
|
||||
# The top directory must be readable and traversable by thoses who need to
|
||||
# access secrets.
|
||||
chmod 755 /etc/secrets
|
||||
|
||||
custom.secrets.extraCommands = ''
|
||||
mkdir -p /etc/secrets/exim/virtual
|
||||
mkdir -p /etc/secrets/exim/domains
|
||||
chmod 700 /etc/secrets/exim
|
||||
|
|
|
|||
Loading…
Reference in a new issue