From 69a5103f8b9958cb51cec66a3b497608f87f71a2 Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@selfprivacy.org>
Date: Mon, 21 Apr 2025 19:07:16 +0400
Subject: [PATCH] refact auth: systemd.tmpfiles for /run/keys/selfprivacy-api;
 comments

---
 auth/auth-module.nix |  1 -
 auth/auth.nix        | 17 ++++++++---------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/auth/auth-module.nix b/auth/auth-module.nix
index 698e43f..f34194b 100644
--- a/auth/auth-module.nix
+++ b/auth/auth-module.nix
@@ -6,7 +6,6 @@ let
     ;
   auth-passthru = config.selfprivacy.passthru.auth;
   keys-path = auth-passthru.keys-path;
-  # TODO consider tmpfiles.d for creating a directory in ${keys-path}
   # generate OAuth2 client secret
   mkKanidmExecStartPreScript = oauthClientID: linuxGroup:
     let
diff --git a/auth/auth.nix b/auth/auth.nix
index 11f9a96..35d333d 100644
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -22,13 +22,6 @@ let
     "${selfprivacy-group}-service-account-token";
   kanidm-service-account-token-fp =
     "${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
-  kanidmExecStartPreScriptRoot = pkgs.writeShellScript
-    "${selfprivacy-group}-kanidm-ExecStartPre-root-script.sh"
-    ''
-      # set-group-ID bit allows for kanidm user to create files,
-      mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${selfprivacy-group}
-      chown kanidm:${selfprivacy-group} /run/keys/${selfprivacy-group}
-    '';
 
   spApiUserExecStartPostScript =
     pkgs.writeShellScript "spApiUserExecStartPostScript" ''
@@ -96,6 +89,14 @@ lib.mkIf config.selfprivacy.sso.enable {
   # for ExecStartPost scripts to have access to /run/keys/*
   users.groups.keys.members = [ "kanidm" ];
 
+  systemd.tmpfiles.settings."kanidm-secrets" = {
+    "${keys-path}/${selfprivacy-group}".d = {
+      user = "kanidm";
+      group = selfprivacy-group;
+      mode = "2750";
+    };
+  };
+
   services.kanidm = {
     enableServer = true;
 
@@ -198,8 +199,6 @@ lib.mkIf config.selfprivacy.sso.enable {
     };
   };
 
-  systemd.services.kanidm.serviceConfig.ExecStartPre =
-    [ ("+" + kanidmExecStartPreScriptRoot) ];
   systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
     [ spApiUserExecStartPostScript ];