Restrict secrets
This commit is contained in:
parent
2a0920904b
commit
58c4f8bec5
|
@ -152,7 +152,11 @@ in
|
|||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."nix-serve/secretKey".mode = "0444";
|
||||
secrets."nix-serve/secretKey" = {
|
||||
mode = "440";
|
||||
owner = config.users.users.hydra-queue-runner.name;
|
||||
inherit (config.users.users.hydra-queue-runner) group;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
|
@ -185,4 +189,7 @@ in
|
|||
MemorySwapMax = "64G";
|
||||
};
|
||||
};
|
||||
|
||||
# allow reading nix-serve secret
|
||||
users.users.harmonia.extraGroups = [ "hydra" ];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue