diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 7eb2437..054cabc 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -66,9 +66,9 @@ let default = "root"; }; group = lib.mkOption { - description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null."; + description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user."; type = lib.types.nullOr lib.types.str; - default = null; + default = cfg.user; }; reloadUnits = lib.mkOption { description = "systemd units to try-reload-or-restart after a successful certificate renewal."; @@ -92,8 +92,14 @@ let keyFile, bundleFile, lifetime, + user, + group, }: let + catCmd = lib.getExe' pkgs.coreutils "cat"; + echoCmd = lib.getExe' pkgs.coreutils "echo"; + chownCmd = lib.getExe' pkgs.coreutils "chown"; + chmodCmd = lib.getExe' pkgs.coreutils "chmod"; stepCmd = lib.getExe pkgs.step-cli; sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san; in @@ -105,7 +111,9 @@ let --provisioner ${provisioner} \ ${sanArgs} \ "$@" - cat ${certFile} ${keyFile} > ${bundleFile} + (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile}) + ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile} + ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile} ''; mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" '' @@ -120,12 +128,17 @@ let certFile, keyFile, bundleFile, + user, + group, reloadUnits ? [ ], postCommands ? [ ], systemctlArgs ? [ ], }: let + catCmd = lib.getExe' pkgs.coreutils "cat"; echoCmd = lib.getExe' pkgs.coreutils "echo"; + chownCmd = lib.getExe' pkgs.coreutils "chown"; + chmodCmd = lib.getExe' pkgs.coreutils "chmod"; systemctl = lib.getExe' pkgs.systemd "systemctl"; escapedArgs = lib.escapeShellArgs systemctlArgs; systemctlCommand = "${systemctl} ${escapedArgs}"; @@ -147,9 +160,9 @@ let fi ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}" - - umask 077 - ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}" + (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}") + ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile} + ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile} ${echoCmd} "Reloading units:" ${renewReloadScript} @@ -171,7 +184,7 @@ let let serviceGroup = if group == null then user else group; renewScript = mkMtlsRenewScript { - inherit pkgs certFile keyFile bundleFile reloadUnits postCommands; + inherit pkgs certFile keyFile bundleFile reloadUnits postCommands user group; }; in { @@ -271,13 +284,18 @@ in (mkMtlsGenerateScript { inherit pkgs; inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime; + inherit (cfg.renew) user group; }) (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; }) - (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; }) + (mkMtlsRenewScript { + inherit pkgs; + inherit (cfg) certFile keyFile bundleFile; + inherit (cfg.renew) user group; + }) ]; systemd.tmpfiles.rules = [ - "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -" + "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -" ]; systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { @@ -314,10 +332,11 @@ in # step-cli (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; + inherit (cfg.renew) user group; inherit pkgs certFile keyFile bundleFile; }) (mkMtlsCheckScript { inherit pkgs bundleFile; }) - (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; }) + (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) user group; }) ]; systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [