nixos/matrix-synapse: protect created files

Enforce UMask on the systemd unit to restrict the permissions of files created. Especially the homeserver signing key should not be world readable, and media is served through synapse itself, so no other user needs access to these files. Use a prestart chmod to fixup the permissions on the signing key.
2021-05-22 00:47:54 +02:00 · 2021-05-22 00:47:54 +02:00 · 79e675444c
parent a420acab1e
commit 79e675444c
1 changed files with 11 additions and 6 deletions
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@ -699,12 +699,12 @@ in {
    ];

    users.users.matrix-synapse = {
-        group = "matrix-synapse";
-        home = cfg.dataDir;
-        createHome = true;
-        shell = "${pkgs.bash}/bin/bash";
-        uid = config.ids.uids.matrix-synapse;
-      };
+      group = "matrix-synapse";
+      home = cfg.dataDir;
+      createHome = true;
+      shell = "${pkgs.bash}/bin/bash";
+      uid = config.ids.uids.matrix-synapse;
+    };

    users.groups.matrix-synapse = {
      gid = config.ids.gids.matrix-synapse;
@ -726,6 +726,10 @@ in {
        User = "matrix-synapse";
        Group = "matrix-synapse";
        WorkingDirectory = cfg.dataDir;
+        ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" ''
+          chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key
+          chmod 0600 ${cfg.dataDir}/homeserver.signing.key
+        '')) ];
        ExecStart = ''
          ${cfg.package}/bin/homeserver \
            ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
@ -733,6 +737,7 @@ in {
        '';
        ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
        Restart = "on-failure";
+        UMask = "0077";
      };
    };
  };