nebula

2026-04-08 15:16:25 -05:00
parent 7adbafb848
commit 6b8395ffdb
2 changed files with 10 additions and 5 deletions
--- a/modules/nixos/services/nebula-ui/default.nix
+++ b/modules/nixos/services/nebula-ui/default.nix
@@ -68,14 +68,14 @@ let
        }
      ];

-      # ── SOPS secrets owned by the nebula-ui service user ───────────────────
+      # ── SOPS secrets ─────────────────────────────────────────────────────────
+      # ca-cert: already declared by the nebula module (owned by nebula-<network>,
+      # mode 0440). We only append restartUnits here; access is via group membership.
      sops.secrets."${cfg.caCertSecretKey}" = {
-        sopsFile = cfg.secretsFile;
-        owner = name;
-        group = name;
        restartUnits = [ "nebula-ui.service" ];
      };

+      # ca-key: only used by nebula-ui, so we own it outright.
      sops.secrets."${cfg.caKeySecretKey}" = {
        sopsFile = cfg.secretsFile;
        owner = name;
@@ -87,6 +87,8 @@ let
      users.users.${name} = {
        isSystemUser = true;
        group = name;
+        # Grant read access to the nebula CA secrets (owned by nebula-<network>)
+        extraGroups = [ "nebula-${cfg.networkName}" ];
        description = "Nebula UI service user";
      };
      users.groups.${name} = { };
--- a/modules/nixos/services/nebula/sops.nix
+++ b/modules/nixos/services/nebula/sops.nix
@@ -17,6 +17,9 @@ let
    group = nebulaUser;
    restartUnits = [ nebulaUnit ];
  };
+
+  # CA cert/key are group-readable so nebula-ui (a group member) can access them
+  mkCaSecret = _key: (mkSecret _key) // { mode = "0440"; };
 in
 {
  config = mkIf cfg.enable {
@@ -32,7 +35,7 @@ in
    ];

    sops.secrets = {
-      "${cfg.secretsPrefix}/ca-cert" = mkSecret "ca-cert";
+      "${cfg.secretsPrefix}/ca-cert" = mkCaSecret "ca-cert";
      "${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert";
      "${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key";
    };