foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-26 06:19:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

hosts/plover: fix credentials permission for Bind service

Browse Source
This commit is contained in:
Gabriel Arazas 2023-09-21 12:52:53 +08:00
parent a4c9add8a7
commit c3ff202b84
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/plover/modules/services/bind.nix
View File

@ -79,7 +79,7 @@ in
configFile =
let
cfg = config.services.bind;
certDir = path: "${config.security.acme.certs."${dnsSubdomain}".directory}/${path}";
certDir = path: "/run/credentials/bind.service/${path}";
listenInterfaces = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn;
listenInterfacesIpv6 = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6;
in
@ -196,6 +196,18 @@ in
Group = config.users.users.named.group;
UMask = "0037";
# Get the credentials into the service.
LoadCredential =
let
certDirectory = config.security.acme.certs."${dnsSubdomain}".directory;
certCredentialPath = path: "${path}:${certDirectory}/${path}";
in
[
(certCredentialPath "cert.pem")
(certCredentialPath "key.pem")
(certCredentialPath "fullchain.pem")
];
# Lock and protect various system components.
LockPersonality = true;
PrivateTmp = true;
@ -300,9 +312,6 @@ in
};
};
# Setting up DNS-over-TLS by generating a certificate.
security.acme.certs."${dnsSubdomain}".group = config.users.users.named.group;
# Then generate a DH parameter for the application.
security.dhparams.params.bind.bits = 4096;