From 58c4f8bec5100cf6053a9bb1ea1b396293c1c472 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 5 Dec 2022 01:57:19 +0100
Subject: [PATCH] Restrict secrets

---
 hosts/hydra/hydra.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix
index 7713df48..10b54c9c 100644
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@@ -152,7 +152,11 @@ in
 
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets."nix-serve/secretKey".mode = "0444";
+    secrets."nix-serve/secretKey" = {
+      mode = "440";
+      owner = config.users.users.hydra-queue-runner.name;
+      inherit (config.users.users.hydra-queue-runner) group;
+    };
   };
 
   systemd.services = {
@@ -185,4 +189,7 @@ in
       MemorySwapMax = "64G";
     };
   };
+
+  # allow reading nix-serve secret
+  users.users.harmonia.extraGroups = [ "hydra" ];
 }