diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2021-05-22 22:20:16 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-22 22:20:16 +0200 |
commit | 278bcdce1f0da616661a6205161b13bd89a2f3bf (patch) | |
tree | 156a4f57574e239e5f3e90d6e6f2a96a346e45e6 /nixos | |
parent | bec3a445b2aff70877435ef4123962ef01093194 (diff) | |
parent | 79e675444caf7b491b2c0d25277b046d3f6d8e04 (diff) |
Merge pull request #123941 from mweinelt/matrix-synapse
nixos/matrix-synapse: protect created files
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 290b5af1d6061..dff587453042d 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -699,12 +699,12 @@ in { ]; users.users.matrix-synapse = { - group = "matrix-synapse"; - home = cfg.dataDir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - uid = config.ids.uids.matrix-synapse; - }; + group = "matrix-synapse"; + home = cfg.dataDir; + createHome = true; + shell = "${pkgs.bash}/bin/bash"; + uid = config.ids.uids.matrix-synapse; + }; users.groups.matrix-synapse = { gid = config.ids.gids.matrix-synapse; @@ -726,6 +726,10 @@ in { User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; + ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' + chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key + chmod 0600 ${cfg.dataDir}/homeserver.signing.key + '')) ]; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } @@ -733,6 +737,7 @@ in { ''; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; + UMask = "0077"; }; }; }; |