Merge pull request #150886 from mohe2015/improve-step-ca

nixos/step-ca: create a step-ca user
2022-02-22 14:40:25 +01:00 · 2022-02-22 14:40:25 +01:00 · 79df722cdd
commit 79df722cdd
parent 23e6a16972 116ae00e73
1 changed files with 11 additions and 0 deletions
--- a/nixos/modules/services/security/step-ca.nix
+++ b/nixos/modules/services/security/step-ca.nix
@ -106,6 +106,9 @@ in
          ConditionFileNotEmpty = ""; # override upstream
        };
        serviceConfig = {
+          User = "step-ca";
+          Group = "step-ca";
+          UMask = "0077";
          Environment = "HOME=%S/step-ca";
          WorkingDirectory = ""; # override upstream
          ReadWriteDirectories = ""; # override upstream
@ -127,6 +130,14 @@ in
        };
      };

+      users.users.step-ca = {
+        home = "/var/lib/step-ca";
+        group = "step-ca";
+        isSystemUser = true;
+      };
+
+      users.groups.step-ca = {};
+
      networking.firewall = lib.mkIf cfg.openFirewall {
        allowedTCPPorts = [ cfg.port ];
      };