infra/common/secrets-permissions.nix

# This module enforces permissions on secrets stored on the machines.

{ config, ... }:

{
  system.activationScripts."secrets-permissions" = ''
    # Default to restrictive permissions on secrets.
    # Root can alway read/write/traverse directories no matter the permissions
    # set.

    chown --recursive root:root /etc/secrets
    chmod --recursive 600 /etc/secrets

    # Relax permissions on some secrets.

    # The top directory must be readable and traversable by thoses who need to
    # access secrets.
    chmod 755 /etc/secrets

    # ... add chowns & chmods to specific users/groups when needed
  '';
}
pastila: system backups with restic 2024-05-28 17:56:03 +00:00			`# This module enforces permissions on secrets stored on the machines.`

			`{ config, ... }:`

			`{`
			`system.activationScripts."secrets-permissions" = ''`
			`# Default to restrictive permissions on secrets.`
			`# Root can alway read/write/traverse directories no matter the permissions`
			`# set.`

			`chown --recursive root:root /etc/secrets`
			`chmod --recursive 600 /etc/secrets`

			`# Relax permissions on some secrets.`

			`# The top directory must be readable and traversable by thoses who need to`
			`# access secrets.`
			`chmod 755 /etc/secrets`

			`# ... add chowns & chmods to specific users/groups when needed`
			`'';`
			`}`