Merge pull request #123941 from mweinelt/matrix-synapse

nixos/matrix-synapse: protect created files

nixos/modules/services/misc/matrix-synapse.nix

@@ -699,12 +699,12 @@ in {
     ];
 
     users.users.matrix-synapse = {
-        group = "matrix-synapse";
+      group = "matrix-synapse";
-        home = cfg.dataDir;
+      home = cfg.dataDir;
-        createHome = true;
+      createHome = true;
-        shell = "${pkgs.bash}/bin/bash";
+      shell = "${pkgs.bash}/bin/bash";
-        uid = config.ids.uids.matrix-synapse;
+      uid = config.ids.uids.matrix-synapse;
-      };
+    };
 
     users.groups.matrix-synapse = {
       gid = config.ids.gids.matrix-synapse;
@@ -726,6 +726,10 @@ in {
         User = "matrix-synapse";
         Group = "matrix-synapse";
         WorkingDirectory = cfg.dataDir;
+        ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" ''
+          chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key
+          chmod 0600 ${cfg.dataDir}/homeserver.signing.key
+        '')) ];
         ExecStart = ''
           ${cfg.package}/bin/homeserver \
             ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
@@ -733,6 +737,7 @@ in {
         '';
         ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
         Restart = "on-failure";
+        UMask = "0077";
       };
     };
   };