diff options
| author | Arun Isaac | 2024-01-05 15:41:40 +0000 |
|---|---|---|
| committer | Arun Isaac | 2024-01-05 15:54:49 +0000 |
| commit | 4b3786b53f85223a8527e2fd39c7166471efd204 (patch) | |
| tree | 01eadc725d6ea495f4a5667b65dfef355082a296 /genenetwork-development.scm | |
| parent | cc92203f1fd6004c8b87a4a3ed9bd70616af7175 (diff) | |
| download | gn-machines-4b3786b53f85223a8527e2fd39c7166471efd204.tar.gz | |
Set ownership and permissions on secret files.
* genenetwork-development.scm (genenetwork-activation): Set ownership and permissions on secret files. * genenetwork-development-deploy.sh: Share /etc/genenetwork/conf instead of merely exposing it.
Diffstat (limited to 'genenetwork-development.scm')
| -rw-r--r-- | genenetwork-development.scm | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/genenetwork-development.scm b/genenetwork-development.scm index 59fbf37..5848ae5 100644 --- a/genenetwork-development.scm +++ b/genenetwork-development.scm @@ -680,17 +680,25 @@ described by CONFIG, a <genenetwork-configuration> object." (define (genenetwork-activation config) (match-record config <genenetwork-configuration> - (auth-db-path) + (gn2-secrets gn3-secrets auth-db-path) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) + ;; Set ownership of files. (for-each (lambda (file) (chown file (passwd:uid (getpw "genenetwork")) (passwd:gid (getpw "genenetwork")))) - (find-files #$(dirname auth-db-path) - #:directories? #t)))))) + (cons* #$gn2-secrets + #$gn3-secrets + (find-files #$(dirname auth-db-path) + #:directories? #t))) + ;; Prevent other users from reading secret files. + (for-each (lambda (file) + (chmod file #o600)) + (list #$gn2-secrets + #$gn3-secrets)))))) (define genenetwork-service-type (service-type |