diff options
-rw-r--r-- | genenetwork/services/genenetwork.scm | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm index 5a2dda2..2d9e4f1 100644 --- a/genenetwork/services/genenetwork.scm +++ b/genenetwork/services/genenetwork.scm @@ -109,11 +109,24 @@ (chown file (passwd:uid (getpw "genenetwork")) (passwd:gid (getpw "genenetwork")))) - (cons* #$gn2-secrets - #$gn3-secrets - #$gn-auth-secrets - (find-files #$(dirname auth-db) - #:directories? #t))))))) + (find-files #$(dirname auth-db) + #:directories? #t)) + ;; Let each service user own their own secrets files. + (chown #$gn2-secrets + (passwd:uid (getpw "gunicorn-genenetwork2")) + (passwd:gid (getpw "gunicorn-genenetwork2"))) + (chown #$gn3-secrets + (passwd:uid (getpw "gunicorn-genenetwork3")) + (passwd:gid (getpw "gunicorn-genenetwork3"))) + (chown #$gn-auth-secrets + (passwd:uid (getpw "gunicorn-gn-auth")) + (passwd:gid (getpw "gunicorn-gn-auth"))) + ;; Set owner-only permissions on secrets files. + (for-each (lambda (file) + (chmod file #o600)) + (list #$gn2-secrets + #$gn3-secrets + #$gn-auth-secrets)))))) (define (configuration-file-gexp alist) "Return a G-expression that constructs a configuration file of |