diff options
| author | Arun Isaac | 2024-01-05 15:41:40 +0000 |
|---|---|---|
| committer | Arun Isaac | 2024-01-05 15:54:49 +0000 |
| commit | 4b3786b53f85223a8527e2fd39c7166471efd204 (patch) | |
| tree | 01eadc725d6ea495f4a5667b65dfef355082a296 | |
| parent | cc92203f1fd6004c8b87a4a3ed9bd70616af7175 (diff) | |
| download | gn-machines-4b3786b53f85223a8527e2fd39c7166471efd204.tar.gz | |
Set ownership and permissions on secret files.
* genenetwork-development.scm (genenetwork-activation): Set ownership
and permissions on secret files.
* genenetwork-development-deploy.sh: Share /etc/genenetwork/conf
instead of merely exposing it.
| -rwxr-xr-x | genenetwork-development-deploy.sh | 7 | ||||
| -rw-r--r-- | genenetwork-development.scm | 14 |
2 files changed, 16 insertions, 5 deletions
diff --git a/genenetwork-development-deploy.sh b/genenetwork-development-deploy.sh index e496fd0..d39bb7f 100755 --- a/genenetwork-development-deploy.sh +++ b/genenetwork-development-deploy.sh @@ -1,7 +1,7 @@ #! /bin/sh -e # genenetwork-machines --- Guix configuration for genenetwork machines -# Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net> +# Copyright © 2022–2024 Arun Isaac <arunisaac@systemreboot.net> # # This file is part of genenetwork-machines. # @@ -24,6 +24,9 @@ # If we shared only the mysqld.sock socket file, it would break when # the external mysqld server is restarted. So, we share the mysqld # socket directory. + +# We set permissions on the secret files. So, we share +# /etc/genenetwork/conf instead of merely exposing it. container_script=$(guix system container --network \ --verbosity=3 \ --load-path=. \ @@ -34,7 +37,7 @@ container_script=$(guix system container --network \ --share=/export2/guix-containers/genenetwork-development/var/lib/tissue=/var/lib/tissue \ --share=/export2/guix-containers/genenetwork-development/var/lib/virtuoso=/var/lib/virtuoso \ --share=/export2/guix-containers/genenetwork-development/var/log/cd=/var/log/cd \ - --expose=/export2/guix-containers/genenetwork-development/etc/genenetwork/conf=/etc/genenetwork/conf \ + --share=/export2/guix-containers/genenetwork-development/etc/genenetwork/conf=/etc/genenetwork/conf \ --share=/export/data/genenetwork-virtuoso=/var/lib/data \ --expose=/export/data/genenetwork \ --share=/export/data/genenetwork-xapian \ diff --git a/genenetwork-development.scm b/genenetwork-development.scm index 59fbf37..5848ae5 100644 --- a/genenetwork-development.scm +++ b/genenetwork-development.scm @@ -680,17 +680,25 @@ described by CONFIG, a <genenetwork-configuration> object." (define (genenetwork-activation config) (match-record config <genenetwork-configuration> - (auth-db-path) + (gn2-secrets gn3-secrets auth-db-path) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) + ;; Set ownership of files. (for-each (lambda (file) (chown file (passwd:uid (getpw "genenetwork")) (passwd:gid (getpw "genenetwork")))) - (find-files #$(dirname auth-db-path) - #:directories? #t)))))) + (cons* #$gn2-secrets + #$gn3-secrets + (find-files #$(dirname auth-db-path) + #:directories? #t))) + ;; Prevent other users from reading secret files. + (for-each (lambda (file) + (chmod file #o600)) + (list #$gn2-secrets + #$gn3-secrets)))))) (define genenetwork-service-type (service-type |