foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-26 12:19:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: fix credentials permission for Bind service

Browse Source
This commit is contained in:
Gabriel Arazas 2023-09-21 12:52:53 +08:00
parent a4c9add8a7
commit c3ff202b84
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/plover/modules/services/bind.nix
View File

@ -79,7 +79,7 @@ in
configFile = configFile =
let let
cfg = config.services.bind; cfg = config.services.bind;
certDir = path: "${config.security.acme.certs."${dnsSubdomain}".directory}/${path}"; certDir = path: "/run/credentials/bind.service/${path}";
listenInterfaces = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn; listenInterfaces = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn;
listenInterfacesIpv6 = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6; listenInterfacesIpv6 = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6;
in in
@ -196,6 +196,18 @@ in
Group = config.users.users.named.group; Group = config.users.users.named.group;
UMask = "0037"; UMask = "0037";
# Get the credentials into the service.
LoadCredential =
let
certDirectory = config.security.acme.certs."${dnsSubdomain}".directory;
certCredentialPath = path: "${path}:${certDirectory}/${path}";
in
[
(certCredentialPath "cert.pem")
(certCredentialPath "key.pem")
(certCredentialPath "fullchain.pem")
];
# Lock and protect various system components. # Lock and protect various system components.
LockPersonality = true; LockPersonality = true;
PrivateTmp = true; PrivateTmp = true;
@ -300,9 +312,6 @@ in
}; };
}; };
# Setting up DNS-over-TLS by generating a certificate.
security.acme.certs."${dnsSubdomain}".group = config.users.users.named.group;
# Then generate a DH parameter for the application. # Then generate a DH parameter for the application.
security.dhparams.params.bind.bits = 4096; security.dhparams.params.bind.bits = 4096;