From 4334ac281a00f26dc0e6a7b95361de4838b6e724 Mon Sep 17 00:00:00 2001 From: Price Hiller Date: Tue, 19 Dec 2023 02:31:41 -0600 Subject: [PATCH] fix: allow server configs to writeable by service user This allows secrets to be correctly written to the files --- modules/squad-server.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/squad-server.nix b/modules/squad-server.nix index 05f4521..f443ae2 100644 --- a/modules/squad-server.nix +++ b/modules/squad-server.nix @@ -983,16 +983,16 @@ in cp -f "${path}" ./"${name}.cfg" '') "" cfgs} + # Correct the permissions for the Squad Server cfgs. When the Squad Server is first + # installed it will include the configs by default with an overly open CHMOD. + chmod 0600 *.cfg + ${lib.optionalString (cfg.config.server.passwordFile != null) '' ## Handle secrets for the `Server.cfg` file ## # Safely load the server password outside of the nix store sed -i -e 's/^ServerPassword=.*$/ServerPassword='"$(${pkgs.systemd}/bin/systemd-creds cat SQUAD_SERVER_PASSWORD_FILE)"'/g' ./Server.cfg ''} - # Correct the permissions for the Squad Server cfgs. When the Squad Server is first - # installed it will include the configs by default with an overly open CHMOD. - chmod 0400 *.cfg - ${lib.optionalString (cfg.config.rcon.passwordFile != null) '' ## Handle secrets for the `Rcon.cfg` file ## # Safely load the rcon password outside of the nix store @@ -1005,6 +1005,10 @@ in printf "%s" "$(${pkgs.systemd}/bin/systemd-creds cat SQUAD_LICENSE_FILE)" > ./License.cfg ''} + # Correct the permissions for the Squad Server cfgs. When the Squad Server is first + # installed it will include the configs by default with an overly open CHMOD. + chmod 0600 *.cfg + popd >/dev/null 2>&1 cat <<-__EOS__