Restrict secrets

2022-12-05 01:57:19 +01:00 · 2022-12-05 01:57:19 +01:00 · 58c4f8bec5
parent 2a0920904b
commit 58c4f8bec5
1 changed files with 8 additions and 1 deletions
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@ -152,7 +152,11 @@ in

  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets."nix-serve/secretKey".mode = "0444";
+    secrets."nix-serve/secretKey" = {
+      mode = "440";
+      owner = config.users.users.hydra-queue-runner.name;
+      inherit (config.users.users.hydra-queue-runner) group;
+    };
  };

  systemd.services = {
@ -185,4 +189,7 @@ in
      MemorySwapMax = "64G";
    };
  };
+
+  # allow reading nix-serve secret
+  users.users.harmonia.extraGroups = [ "hydra" ];
 }