From f729f6a0980b439ed3d8143f2af82860c27bd5bd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 2 Apr 2024 12:25:05 +0200 Subject: [PATCH 1/2] hosts: nixos: porthos: secrets: add 'lohr' owner --- hosts/nixos/porthos/secrets/secrets.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix index bea380c..c43376b 100644 --- a/hosts/nixos/porthos/secrets/secrets.nix +++ b/hosts/nixos/porthos/secrets/secrets.nix @@ -31,8 +31,14 @@ in publicKeys = all; }; - "lohr/secret.age".publicKeys = all; - "lohr/ssh-key.age".publicKeys = all; + "lohr/secret.age" = { + owner = "lohr"; + publicKeys = all; + }; + "lohr/ssh-key.age" = { + owner = "lohr"; + publicKeys = all; + }; "matrix/mail.age" = { owner = "matrix-synapse"; From 8f120e2129ceb2e32945cb5eecaaf43968d8f9cf Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 2 Apr 2024 12:25:34 +0200 Subject: [PATCH 2/2] nixos: services: lohr: fix SSH key creation In the migration to `tmpfiles.d(5)`, I used the wrong type of file. Using `f` would write the path to the file as its content, rather than copy it. Unfortunately `C` and `C+` do not overwrite an existing file, so using a symlink it the correct solution here. This means the SSH key file must have `lohr` as an owner... Perhaps I should make it so the service can read the file itself, rather than rely on the filesystem location, so that I don't have to contort myself quite so much to make it work. --- modules/nixos/services/lohr/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix index 21aadba..21ed93b 100644 --- a/modules/nixos/services/lohr/default.nix +++ b/modules/nixos/services/lohr/default.nix @@ -99,7 +99,7 @@ in }; }; "${lohrHome}/.ssh/id_ed25519" = { - "f+" = { + "L+" = { user = "lohr"; group = "lohr"; mode = "0700";