nixos/kanidm: add option to automatically generate self-signed cert #381636
Conversation
e1f9172 to
20da762
Compare
20da762 to
50922ba
Compare
| ${certtool} --generate-self-signed --load-privkey=${esc tls_key} --outfile=${esc tls_chain} --template=${template_file} | ||
| chmod 0500 "''${directories[@]}" | ||
| chmod 0400 ${esc tls_key} ${esc tls_chain} | ||
| chown kanidm:kanidm ${esc tls_key} ${esc tls_chain} "''${directories[@]}" |
There was a problem hiding this comment.
Does this need to run as root? If not, why don't we just add this as a preStart script to kanidm?
There was a problem hiding this comment.
I struggled with this, the security restrictions on the kanidm service are annoying. It's possible that I just didn't know the right way to do it, but I couldn't get it to work.
There was a problem hiding this comment.
Also obviously the kanidm user doesn't have permission to create directories and change permissions, so this would have to be split into a systemd.tmpfiles entry to create the dir and then a separate service to generate the cert, and they have to be ordered correctly.
There was a problem hiding this comment.
It should be able to write to its state directory (/var/lib/kanidm), and it looks like you chown the files to the kanidm user at the end. Do you have a specific need to customize the certificate path? Otherwise I believe this should just work by generating the certificate in preStart
There was a problem hiding this comment.
If you can make it work that'd be rad. I don't need to customize the certificate path, the way I did it just happened to allow it so I saw no need to restrict it.
Things done
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.