Skip to content
Snippets Groups Projects
Commit 490a6c99 authored by Bob Mottram's avatar Bob Mottram
Browse files

Permissions on lets encrypt directory

To allow apps using a dedicated user account to read certificates
parent 9e31cf48
No related branches found
No related tags found
No related merge requests found
......@@ -279,6 +279,11 @@ function add_cert_letsencrypt {
update_default_domain
# this group can be used to assign read permissions for
# application user accounts
chgrp -R ssl-cert /etc/letsencrypt
chmod -R g=rX /etc/letsencrypt
nginx_ensite ${LETSENCRYPT_HOSTNAME}
systemctl start nginx
......
......@@ -214,7 +214,9 @@ function matrix_configure_homeserver_yaml {
if [[ $ONION_ONLY == "no" ]]; then
sed -i "s|tls_certificate_path:.*|tls_certificate_path: \"/etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem\"|g" "${filepath}"
sed -i "s|tls_private_key_path:.*|tls_private_key_path: \"/etc/ssl/private/${MATRIX_DOMAIN_NAME}.key\"|g" "${filepath}"
if ! grep -q '#tls_private_key_path' "${filepath}"; then
sed -i 's|tls_private_key_path|#tls_private_key_path|g' "${filepath}"
fi
sed -i "s|tls_dh_params_path:.*|tls_dh_params_path: \"/etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam\"|g" "${filepath}"
fi
sed -i 's|8448|8449|g' "${filepath}"
......@@ -524,6 +526,7 @@ function install_home_server {
groupadd matrix
useradd -c "Matrix system account" -d $MATRIX_DATA_DIR -m -r -g matrix matrix
usermod -a -G www-data matrix
usermod -a -G ssl-cert matrix
function_check install_turn
install_turn
......@@ -623,6 +626,8 @@ function install_matrix {
exit 73572
fi
fi
chgrp -R ssl-cert /etc/letsencrypt
chmod -R g=rX /etc/letsencrypt
fi
export DEBIAN_FRONTEND=noninteractive
......
......@@ -223,6 +223,8 @@ function restore_letsencrypt {
if [ -d $USB_MOUNT/backup/letsencrypt ]; then
echo $"Restoring Lets Encrypt settings"
restore_directory_from_usb / letsencrypt
chgrp -R ssl-cert /etc/letsencrypt
chmod -R g=rX /etc/letsencrypt
fi
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment