cashmere

cashmere

nixos add more permissions to services

Description

Services in NixOS often require more permissions for various reasons.

For example, if you use Caddy in combination with Soju, Soju needs access to the TLS certificates so your IRC clients can connect over TLS. This enables a secure connection between your IRC client and Soju as a bouncer.

Example

systemd.services.soju-fix-certs = {
  description = "Fix certificate permissions for soju";
  before = [ "soju.service" ];
  wantedBy = [ "multi-user.target" ];

  serviceConfig = {
    Type = "oneshot";
    RemainAfterExit = true;
  };

  script = ''
    chmod 750 /var/lib/caddy
    chmod 750 /var/lib/caddy/.local
    chmod 750 /var/lib/caddy/.local/share
    chmod 750 /var/lib/caddy/.local/share/caddy
    chmod 750 /var/lib/caddy/.local/share/caddy/certificates
    chmod 750 /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory
    chmod 750 /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/irc.cashmere.rs
    chmod 640 /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/irc.cashmere.rs/irc.cashmere.rs.crt
    chmod 640 /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/irc.cashmere.rs/irc.cashmere.rs.key
  '';
};