diff --git a/modules/nixos/services/nebula-ui/default.nix b/modules/nixos/services/nebula-ui/default.nix index f04895c..6514048 100644 --- a/modules/nixos/services/nebula-ui/default.nix +++ b/modules/nixos/services/nebula-ui/default.nix @@ -68,14 +68,14 @@ let } ]; - # ── SOPS secrets owned by the nebula-ui service user ─────────────────── + # ── SOPS secrets ───────────────────────────────────────────────────────── + # ca-cert: already declared by the nebula module (owned by nebula-, + # mode 0440). We only append restartUnits here; access is via group membership. sops.secrets."${cfg.caCertSecretKey}" = { - sopsFile = cfg.secretsFile; - owner = name; - group = name; restartUnits = [ "nebula-ui.service" ]; }; + # ca-key: only used by nebula-ui, so we own it outright. sops.secrets."${cfg.caKeySecretKey}" = { sopsFile = cfg.secretsFile; owner = name; @@ -87,6 +87,8 @@ let users.users.${name} = { isSystemUser = true; group = name; + # Grant read access to the nebula CA secrets (owned by nebula-) + extraGroups = [ "nebula-${cfg.networkName}" ]; description = "Nebula UI service user"; }; users.groups.${name} = { }; diff --git a/modules/nixos/services/nebula/sops.nix b/modules/nixos/services/nebula/sops.nix index f3e9bdf..1588334 100755 --- a/modules/nixos/services/nebula/sops.nix +++ b/modules/nixos/services/nebula/sops.nix @@ -17,6 +17,9 @@ let group = nebulaUser; restartUnits = [ nebulaUnit ]; }; + + # CA cert/key are group-readable so nebula-ui (a group member) can access them + mkCaSecret = _key: (mkSecret _key) // { mode = "0440"; }; in { config = mkIf cfg.enable { @@ -32,7 +35,7 @@ in ]; sops.secrets = { - "${cfg.secretsPrefix}/ca-cert" = mkSecret "ca-cert"; + "${cfg.secretsPrefix}/ca-cert" = mkCaSecret "ca-cert"; "${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert"; "${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key"; };