Armael/infra
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
infra/common/secrets-permissions.nix

24 lines
646 B
Nix
Raw Blame History

# This module enforces permissions on secrets stored on the machines.
{ config, ... }:
{
system.activationScripts."secrets-permissions" = ''
# Default to restrictive permissions on secrets.
# Root can alway read/write/traverse directories no matter the permissions
# set.
mkdir -p /etc/secrets
chown --recursive root:root /etc/secrets
chmod --recursive 600 /etc/secrets
# Relax permissions on some secrets.
# The top directory must be readable and traversable by thoses who need to
# access secrets.
chmod 755 /etc/secrets
# ... add chowns & chmods to specific users/groups when needed
'';
}
Reference in a new issue View git blame Copy permalink