improving renew script

modules/features/forgejo.nix

@@ -2,6 +2,7 @@
   flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
     let
       cfg = config.forgejo;
+      needsPrivilegedPort = cfg.port < 1024;
     in
     {
       options.forgejo = {
@@ -25,6 +26,12 @@
       config = lib.mkIf cfg.enable {
         networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
 
+        systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+          PrivateUsers = lib.mkForce false;
+        };
+
         sops.secrets = {
           "forgejo/secret_key".owner = config.services.forgejo.user;
           "forgejo/internal_token".owner = config.services.forgejo.user;

modules/features/mtls.nix

@@ -66,9 +66,9 @@ let
         default = "root";
       };
       group = lib.mkOption {
-        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
+        description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
         type = lib.types.nullOr lib.types.str;
-        default = null;
+        default = cfg.user;
       };
       reloadUnits = lib.mkOption {
         description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -92,8 +92,14 @@ let
     keyFile,
     bundleFile,
     lifetime,
+    user,
+    group,
   }:
   let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
+    echoCmd = lib.getExe' pkgs.coreutils "echo";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
     stepCmd = lib.getExe pkgs.step-cli;
     sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
   in
@@ -105,7 +111,9 @@ let
         --provisioner ${provisioner} \
         ${sanArgs} \
         "$@"
-      cat ${certFile} ${keyFile} > ${bundleFile}
+      (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
     '';
   
   mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -120,18 +128,24 @@ let
     certFile,
     keyFile,
     bundleFile,
+    user,
+    group,
     reloadUnits ? [ ],
     postCommands ? [ ],
     systemctlArgs ? [ ],
   }:
   let
+    catCmd = lib.getExe' pkgs.coreutils "cat";
     echoCmd = lib.getExe' pkgs.coreutils "echo";
-    systemctl = lib.getExe' pkgs.systemd "systemctl";
+    chownCmd = lib.getExe' pkgs.coreutils "chown";
-    escapedArgs = lib.escapeShellArgs systemctlArgs;
+    chmodCmd = lib.getExe' pkgs.coreutils "chmod";
-    systemctlCommand = "${systemctl} ${escapedArgs}";
+    stepCmd = lib.getExe pkgs.step-cli;
+    hasReloadUnits = reloadUnits != [ ];
+    hasPostCommands = postCommands != [ ];
+    systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${systemctlCommand} --quiet is-active "${unit}"; then
+      if ${systemctlCmd} --quiet is-active "${unit}"; then
-        ${systemctlCommand} try-reload-or-restart "${unit}"
+        ${systemctlCmd} try-reload-or-restart "${unit}"
       fi
     '') reloadUnits;
     renewPostCommands = lib.concatStringsSep "\n" postCommands;
@@ -139,23 +153,42 @@ let
     pkgs.writeShellScriptBin "mtls-renew" ''
       set -euo pipefail
 
-      if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then
+      YELLOW_BANG="\e[33m!\e[0m"
-        ${echoCmd} "Renewing mTLS certificate"
+
-      else
+      force=0
+      while [[ $# -gt 0 ]]; do
+      case $1 in
+        --force)
+        force=1
+        shift
+        ;;
+        *)
+        ${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+        exit 1
+        ;;
+      esac
+      done
+
+      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${certFile}"; then
         ${echoCmd} "Skipping renew"
-        exit "$?"
+        exit 0
       fi
 
-      ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}"
+      ${echoCmd} "Renewing mTLS certificate"
-
+      ${stepCmd} ca renew --force "${certFile}" "${keyFile}"
-      umask 077
+      (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}")
-      ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}"
+      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
+      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
 
+      ${lib.optionalString hasReloadUnits ''
       ${echoCmd} "Reloading units:"
       ${renewReloadScript}
+      ''}
 
+      ${lib.optionalString hasPostCommands ''
       ${echoCmd} "Post commands:"
       ${renewPostCommands}
+      ''}
     '';
 
   mkNixosMtlsRenewService = {
@@ -171,7 +204,7 @@ let
   let
     serviceGroup = if group == null then user else group;
     renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
+      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands user group;
     };
   in
   {
@@ -271,13 +304,18 @@ in
           (mkMtlsGenerateScript {
             inherit pkgs;
             inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
+            inherit (cfg.renew) user group;
           })
           (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; })
+          (mkMtlsRenewScript {
+            inherit pkgs;
+            inherit (cfg) certFile keyFile bundleFile;
+            inherit (cfg.renew) user group;
+          })
         ];
 
         systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
         ];
 
         systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
@@ -314,10 +352,11 @@ in
           # step-cli
           (mkMtlsGenerateScript {
             inherit (cfg) subject provisioner san lifetime;
+            inherit (cfg.renew) user group;
             inherit pkgs certFile keyFile bundleFile;
           })
           (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; })
+          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) user group; })
         ];
 
         systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [