Merge pull request #179155 from linj-fork/caddy-improve-security

nixos/caddy: improve security about acme certs
2024-11-14 15:36:47 +03:00 · 2022-08-25 10:36:10 -03:00 · 2022-08-25 10:36:10 -03:00 · d05ae63d23
commit d05ae63d23
parent c6c6cad06d f7baa65db7
2 changed files with 6 additions and 6 deletions
--- a/nixos/modules/services/web-servers/caddy/default.nix
+++ b/nixos/modules/services/web-servers/caddy/default.nix
@ -308,7 +308,6 @@ in
        StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ];
        LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ];
        Restart = "on-abnormal";
-        SupplementaryGroups = mkIf (length acmeVHosts != 0) [ "acme" ];

        # TODO: attempt to upstream these options
        NoNewPrivileges = true;
@ -331,9 +330,12 @@ in

    security.acme.certs =
      let
-        reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) acmeHosts;
+        certCfg = map (useACMEHost: nameValuePair useACMEHost {
+          group = mkDefault cfg.group;
+          reloadServices = [ "caddy.service" ];
+        }) acmeHosts;
      in
-        listToAttrs reloads;
+        listToAttrs certCfg;

  };
 }
--- a/nixos/modules/services/web-servers/caddy/vhost-options.nix
+++ b/nixos/modules/services/web-servers/caddy/vhost-options.nix
@ -40,9 +40,7 @@ in

        <emphasis>Note that this option does not create any certificates, nor
        does it add subdomains to existing ones – you will need to create them
-        manually using <xref linkend="opt-security.acme.certs"/>. Additionally,
-        you should probably add the <literal>caddy</literal> user to the
-        <literal>acme</literal> group to grant access to the certificates.</emphasis>
+        manually using <xref linkend="opt-security.acme.certs"/>.</emphasis>
      '';
    };