diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-22 00:47:54 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-22 20:30:49 +0200 |
commit | 79e675444caf7b491b2c0d25277b046d3f6d8e04 (patch) | |
tree | 0c67a4718c4820b28393a97087d4508250df0569 /nixos | |
parent | a420acab1e197c0c4a2f2b960f3bf1e6b8043caa (diff) |
nixos/matrix-synapse: protect created files
Enforce UMask on the systemd unit to restrict the permissions of files created. Especially the homeserver signing key should not be world readable, and media is served through synapse itself, so no other user needs access to these files. Use a prestart chmod to fixup the permissions on the signing key.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index 290b5af1d6061..dff587453042d 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -699,12 +699,12 @@ in { ]; users.users.matrix-synapse = { - group = "matrix-synapse"; - home = cfg.dataDir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - uid = config.ids.uids.matrix-synapse; - }; + group = "matrix-synapse"; + home = cfg.dataDir; + createHome = true; + shell = "${pkgs.bash}/bin/bash"; + uid = config.ids.uids.matrix-synapse; + }; users.groups.matrix-synapse = { gid = config.ids.gids.matrix-synapse; @@ -726,6 +726,10 @@ in { User = "matrix-synapse"; Group = "matrix-synapse"; WorkingDirectory = cfg.dataDir; + ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" '' + chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key + chmod 0600 ${cfg.dataDir}/homeserver.signing.key + '')) ]; ExecStart = '' ${cfg.package}/bin/homeserver \ ${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) } @@ -733,6 +737,7 @@ in { ''; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; Restart = "on-failure"; + UMask = "0077"; }; }; }; |