Permissions on lets encrypt directory

To allow apps using a dedicated user account to read certificates

src/freedombone-addcert

@@ -279,6 +279,11 @@ function add_cert_letsencrypt {
 
     update_default_domain
 
+    # this group can be used to assign read permissions for
+    # application user accounts
+    chgrp -R ssl-cert /etc/letsencrypt
+    chmod -R g=rX /etc/letsencrypt
+
     nginx_ensite ${LETSENCRYPT_HOSTNAME}
     systemctl start nginx
 

src/freedombone-app-matrix

@@ -214,7 +214,9 @@ function matrix_configure_homeserver_yaml {
 
     if [[ $ONION_ONLY == "no" ]]; then
         sed -i "s|tls_certificate_path:.*|tls_certificate_path: \"/etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem\"|g" "${filepath}"
-        sed -i "s|tls_private_key_path:.*|tls_private_key_path: \"/etc/ssl/private/${MATRIX_DOMAIN_NAME}.key\"|g" "${filepath}"
+        if ! grep -q '#tls_private_key_path' "${filepath}"; then
+            sed -i 's|tls_private_key_path|#tls_private_key_path|g' "${filepath}"
+        fi
         sed -i "s|tls_dh_params_path:.*|tls_dh_params_path: \"/etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam\"|g" "${filepath}"
     fi
     sed -i 's|8448|8449|g' "${filepath}"
@@ -524,6 +526,7 @@ function install_home_server {
     groupadd matrix
     useradd -c "Matrix system account" -d $MATRIX_DATA_DIR -m -r -g matrix matrix
     usermod -a -G www-data matrix
+    usermod -a -G ssl-cert matrix
 
     function_check install_turn
     install_turn
@@ -623,6 +626,8 @@ function install_matrix {
                 exit 73572
             fi
         fi
+        chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
     fi
 
     export DEBIAN_FRONTEND=noninteractive

src/freedombone-restore-local

@@ -223,6 +223,8 @@ function restore_letsencrypt {
     if [ -d $USB_MOUNT/backup/letsencrypt ]; then
         echo $"Restoring Lets Encrypt settings"
         restore_directory_from_usb / letsencrypt
+        chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
     fi
 }