Restrict secrets
This commit is contained in:
parent
2a0920904b
commit
58c4f8bec5
|
@ -152,7 +152,11 @@ in
|
||||||
|
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ./secrets.yaml;
|
defaultSopsFile = ./secrets.yaml;
|
||||||
secrets."nix-serve/secretKey".mode = "0444";
|
secrets."nix-serve/secretKey" = {
|
||||||
|
mode = "440";
|
||||||
|
owner = config.users.users.hydra-queue-runner.name;
|
||||||
|
inherit (config.users.users.hydra-queue-runner) group;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
|
@ -185,4 +189,7 @@ in
|
||||||
MemorySwapMax = "64G";
|
MemorySwapMax = "64G";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# allow reading nix-serve secret
|
||||||
|
users.users.harmonia.extraGroups = [ "hydra" ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue