refact auth: systemd.tmpfiles for /run/keys/selfprivacy-api; comments

2025-04-21 19:07:16 +04:00
parent a96b6b8444
commit 69a5103f8b
2 changed files with 8 additions and 10 deletions
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -6,7 +6,6 @@ let
    ;
  auth-passthru = config.selfprivacy.passthru.auth;
  keys-path = auth-passthru.keys-path;
-  # TODO consider tmpfiles.d for creating a directory in ${keys-path}
  # generate OAuth2 client secret
  mkKanidmExecStartPreScript = oauthClientID: linuxGroup:
    let
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -22,13 +22,6 @@ let
    "${selfprivacy-group}-service-account-token";
  kanidm-service-account-token-fp =
    "${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
-  kanidmExecStartPreScriptRoot = pkgs.writeShellScript
-    "${selfprivacy-group}-kanidm-ExecStartPre-root-script.sh"
-    ''
-      # set-group-ID bit allows for kanidm user to create files,
-      mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${selfprivacy-group}
-      chown kanidm:${selfprivacy-group} /run/keys/${selfprivacy-group}
-    '';

  spApiUserExecStartPostScript =
    pkgs.writeShellScript "spApiUserExecStartPostScript" ''
@@ -96,6 +89,14 @@ lib.mkIf config.selfprivacy.sso.enable {
  # for ExecStartPost scripts to have access to /run/keys/*
  users.groups.keys.members = [ "kanidm" ];

+  systemd.tmpfiles.settings."kanidm-secrets" = {
+    "${keys-path}/${selfprivacy-group}".d = {
+      user = "kanidm";
+      group = selfprivacy-group;
+      mode = "2750";
+    };
+  };
+
  services.kanidm = {
    enableServer = true;

@@ -198,8 +199,6 @@ lib.mkIf config.selfprivacy.sso.enable {
    };
  };

-  systemd.services.kanidm.serviceConfig.ExecStartPre =
-    [ ("+" + kanidmExecStartPreScriptRoot) ];
  systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
    [ spApiUserExecStartPostScript ];