chown and chmod generated pfx files

ssl-update.py

@@ -24,7 +24,16 @@ server_user = 'luke'
 domain = 'drheck.dev'
 
 supported_services = [
-  'git', 'plex', 'jellyfin', 'photoprism', 'nextcloud', 'read', 'www', 'chat', 'sync']
+  'chat',
+  'git',
+  'jellyfin',
+  'nextcloud',
+  'photoprism',
+  'plex',
+  'read',
+  'sync',
+  'www',
+]
 
 restart_delay = {
   'plex': 10
@@ -32,7 +41,7 @@ restart_delay = {
 
 pfx_key_path = {
     'plex': '/data/plex/certs/certificate.pfx',
-    'jellyfin': f'/etc/letsencrypt/live/jellyfin.{domain}/jellyfin.pfx',
+    'jellyfin': '/data/jellyfin/ssl/jellyfin.pfx',
 }
 
 # Cert owning user if different than the name of the service
@@ -158,6 +167,20 @@ def pfx_gen(service):
          '-inkey', f'/etc/letsencrypt/live/{service}.{domain}/privkey.pem',
          '-in', f'/etc/letsencrypt/live/{service}.{domain}/cert.pem',
          '-certfile', f'/etc/letsencrypt/live/{service}.{domain}/chain.pem']
+  user = service
+  if service in users:
+    user = users[service]
+  uid = pwd.getpwnam(user).pw_uid
+  gid = pwd.getpwnam(user).pw_gid
+
+  # chown after custom service in case pfx or other key is generated
+
+  log.info(f'changing owner of {pkp} - uid: {uid} gid: {gid}')
+  os.chown(pkp, uid, gid)
+
+  log.info(f'chmod {pkp} to 0o600')
+  pkp.chmod(0o600)
+
   log.info(f'cmd to encrypt private key: "{" ".join(cmd)}"')
   p = pexpect.spawnu(' '.join(cmd))
   p.logfile = sys.stderr