[Nix-dev] Setting default group & permissions on deployment.keys

4levels 4levels at gmail.com
Tue Jun 14 11:51:08 CEST 2016


Hi Nix Devs,

I'm currently implementing the deployment.keys approach to secure my web
projects (php, node,  ..).  I've managed to have all keys exported to
/run/keys but since the php process is running with the user:group
nginx:nginx, it has no access to the /run/keys folder.

Adding extraGroups = [ "keys" ] to users.extraUsers.nginx fixes access to
/run/keys.
Each key has by default the user:group root:root and permission "0600".
When adding the group = "keys" and permissions = "0640" to each key in
deployment.keys everything works as expected.

Is there a way to define a default group and permissions for all keys
without me specifying this for each key individually?
I'm currently well over 200 keys per machine so adding the group and
permissions for each key is quite elaborate..

As a secondary question:
Since I'm no security expert, I was wondering what the security impact is
of making Nginx part of the keys group and allowing it read-access to
/run/keys


Kind regards,

Eirk aka 4levels
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160614/d88ea2ea/attachment.html>


More information about the nix-dev mailing list