thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: rewrite /run/keys/* creation to tmpfiles.d

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-04-11 16:13:59 +04:00
parent a5f497d9cf
commit b87c37afa2
1 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
auth/auth-module.nix
View File

@@ -7,14 +7,6 @@ let
auth-passthru = config.selfprivacy.passthru.auth; auth-passthru = config.selfprivacy.passthru.auth;
keys-path = auth-passthru.keys-path; keys-path = auth-passthru.keys-path;
# TODO consider tmpfiles.d for creating a directory in ${keys-path} # TODO consider tmpfiles.d for creating a directory in ${keys-path}
mkKanidmExecStartPreScriptRoot = oauthClientID: group:
pkgs.writeShellScript
"${oauthClientID}-kanidm-ExecStartPre-root-script.sh"
''
# set-group-ID bit allows kanidm user to create files with another group
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx ${keys-path}/${oauthClientID}
chown kanidm:${group} ${keys-path}/${oauthClientID}
'';
# generate OAuth2 client secret # generate OAuth2 client secret
mkKanidmExecStartPreScript = oauthClientID: mkKanidmExecStartPreScript = oauthClientID:
let let
@@ -261,6 +253,17 @@ in
({ linuxUserOfClient, ... }: [ linuxUserOfClient ]) ({ linuxUserOfClient, ... }: [ linuxUserOfClient ])
); );
systemd.tmpfiles.settings."kanidm-secrets" = lib.mkMerge (lib.forEach
clientsAttrsList
({ linuxGroupOfClient, ... }: {
"${keys-path}/${linuxGroupOfClient}".d = {
user = "kanidm";
group = linuxGroupOfClient;
mode = "2750";
};
})
);
# for each OAuth2 client: scripts with Kanidm CLI commands # for each OAuth2 client: scripts with Kanidm CLI commands
systemd.services.kanidm = { systemd.services.kanidm = {
before = before =
@@ -270,11 +273,9 @@ in
serviceConfig = serviceConfig =
lib.mkMerge (lib.forEach lib.mkMerge (lib.forEach
clientsAttrsList clientsAttrsList
({ clientID, isTokenNeeded, linuxGroupOfClient, ... }: { ({ clientID, isTokenNeeded, ... }: {
ExecStartPre = [ ExecStartPre = [
# "-" prefix means to ignore exit code of prefixed script # "-" prefix means to ignore exit code of prefixed script
# "+" prefix means to run script with superuser priveleges
("-+" + mkKanidmExecStartPreScriptRoot clientID linuxGroupOfClient)
("-" + mkKanidmExecStartPreScript clientID) ("-" + mkKanidmExecStartPreScript clientID)
]; ];
ExecStartPost = lib.mkIf isTokenNeeded ExecStartPost = lib.mkIf isTokenNeeded