BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/step-ca: create a step-ca user

Browse source 
This allows you to create the certificate files owned by that user so the service can read them.
This commit is contained in:
Moritz Hedtke 2021-12-15 20:27:18 +01:00
parent a2e281f577
commit 116ae00e73
No known key found for this signature in database
GPG key ID: 6794D45A488C2EDE
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
nixos/modules/services/security/step-ca.nix
View file

@ -108,6 +108,9 @@ in
ConditionFileNotEmpty = ""; # override upstream ConditionFileNotEmpty = ""; # override upstream
}; };
serviceConfig = { serviceConfig = {
User = "step-ca";
Group = "step-ca";
UMask = "0077";
Environment = "HOME=%S/step-ca"; Environment = "HOME=%S/step-ca";
WorkingDirectory = ""; # override upstream WorkingDirectory = ""; # override upstream
ReadWriteDirectories = ""; # override upstream ReadWriteDirectories = ""; # override upstream
@ -129,6 +132,14 @@ in
}; };
}; };
users.users.step-ca = {
home = "/var/lib/step-ca";
group = "step-ca";
isSystemUser = true;
};
users.groups.step-ca = {};
networking.firewall = lib.mkIf cfg.openFirewall { networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [ cfg.port ];
}; };