nixos/conduit: improve state directory permissions

Allow only the conduit user to access its database files, and make sure to create all new files with 0600 (o+rw).
author: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-07-25 16:54:39 +0200
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2023-07-25 16:54:39 +0200
commit: 18733782adc0b2c952d0d1d1174a19b7921b476e (patch)
tree: 35948ef3c27f5f3ac37029b88e127eeae249ed25 /nixos
parent: 7ce0abe77d2ace6d6fc43ff7077019e62a77e741 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/services/matrix/conduit.nix b/nixos/modules/services/matrix/conduit.nix
index c8d89ed33f512..16c4f571da941 100644
--- a/nixos/modules/services/matrix/conduit.nix
+++ b/nixos/modules/services/matrix/conduit.nix
@@ -138,10 +138,12 @@ in
             "~@privileged"
           ];
           StateDirectory = "matrix-conduit";
+          StateDirectoryMode = "0700";
           ExecStart = "${cfg.package}/bin/conduit";
           Restart = "on-failure";
           RestartSec = 10;
           StartLimitBurst = 5;
+          UMask = "077";
         };
       };
     };
author	Martin Weinelt <hexa@darmstadt.ccc.de>	2023-07-25 16:54:39 +0200
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2023-07-25 16:54:39 +0200
commit	18733782adc0b2c952d0d1d1174a19b7921b476e (patch)
tree	35948ef3c27f5f3ac37029b88e127eeae249ed25 /nixos
parent	7ce0abe77d2ace6d6fc43ff7077019e62a77e741 (diff)