X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c1e7f148bf3340300ae2f41d1ba7588cdfbb3b42..f3a1fcb306856fc904c7e8051ccb69ea85e5640f:/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index 3b2be59f36..5a7d9a269a 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -10,12 +10,19 @@
 extra_custom_certs_file_directory_certs_dir:
   file.directory:
     - name: /etc/nginx/ssl
+    - user: root
+    - group: root
+    - dir_mode: 0750
+    - file_mode: 0640
     - require:
       - pkg: nginx_install
+    - recurse:
+      - user
+      - group
+      - mode
 
   {%- for cert in certs %}
     {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
-    {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
     {%- set key_file = 'arvados-' ~ cert ~ '.key' %}
     {% for c in [cert_file, key_file] %}
 extra_custom_certs_file_copy_{{ c }}:
@@ -25,6 +32,7 @@ extra_custom_certs_file_copy_{{ c }}:
     - force: true
     - user: root
     - group: root
+    - mode: 0640
     - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
     - require:
       - file: extra_custom_certs_file_directory_certs_dir