Merge pull request #299581 from Stunkymonkey/nsd-chmod-install

nixos/nsd: prefer 'install' over 'chmod'

nixos/modules/services/networking/nsd.nix

@@ -152,9 +152,7 @@ let
   copyKeys = concatStrings (mapAttrsToList (keyName: keyOptions: ''
     secret=$(cat "${keyOptions.keyFile}")
     dest="${stateDir}/private/${keyName}"
-    echo "  secret: \"$secret\"" > "$dest"
+    install -m 0400 -o "${username}" -g "${username}" <(echo "  secret: \"$secret\"") "$dest"
-    chown ${username}:${username} "$dest"
-    chmod 0400 "$dest"
   '') cfg.keys);
 
 
@@ -457,9 +455,7 @@ let
   dnssecTools = pkgs.bind.override { enablePython = true; };
 
   signZones = optionalString dnssec ''
-    mkdir -p ${stateDir}/dnssec
+    install -m 0600 -o "${username}" -g "${username}" -d "${stateDir}/dnssec"
-    chown ${username}:${username} ${stateDir}/dnssec
-    chmod 0600 ${stateDir}/dnssec
 
     ${concatStrings (mapAttrsToList signZone dnssecZones)}
   '';
@@ -961,9 +957,9 @@ in
         rm -Rf "${stateDir}/private/"
         rm -Rf "${stateDir}/tmp/"
 
-        mkdir -m 0700 -p "${stateDir}/private"
+        install -dm 0700 -o "${username}" -g "${username}" "${stateDir}/private"
-        mkdir -m 0700 -p "${stateDir}/tmp"
+        install -dm 0700 -o "${username}" -g "${username}" "${stateDir}/tmp"
-        mkdir -m 0700 -p "${stateDir}/var"
+        install -dm 0700 -o "${username}" -g "${username}" "${stateDir}/var"
 
         cat > "${stateDir}/don't touch anything in here" << EOF
         Everything in this directory except NSD's state in var and dnssec
@@ -971,10 +967,6 @@ in
         the nsd.service pre-start script.
         EOF
 
-        chown ${username}:${username} -R "${stateDir}/private"
-        chown ${username}:${username} -R "${stateDir}/tmp"
-        chown ${username}:${username} -R "${stateDir}/var"
-
         rm -rf "${stateDir}/zones"
         cp -rL "${nsdEnv}/zones" "${stateDir}/zones"