From 18733782adc0b2c952d0d1d1174a19b7921b476e Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 25 Jul 2023 16:54:39 +0200
Subject: nixos/conduit: improve state directory permissions

Allow only the conduit user to access its database files, and make sure
to create all new files with 0600 (o+rw).
---
 nixos/modules/services/matrix/conduit.nix | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'nixos')

diff --git a/nixos/modules/services/matrix/conduit.nix b/nixos/modules/services/matrix/conduit.nix
index c8d89ed33f512..16c4f571da941 100644
--- a/nixos/modules/services/matrix/conduit.nix
+++ b/nixos/modules/services/matrix/conduit.nix
@@ -138,10 +138,12 @@ in
             "~@privileged"
           ];
           StateDirectory = "matrix-conduit";
+          StateDirectoryMode = "0700";
           ExecStart = "${cfg.package}/bin/conduit";
           Restart = "on-failure";
           RestartSec = 10;
           StartLimitBurst = 5;
+          UMask = "077";
         };
       };
     };
-- 
cgit 1.4.1