nebula

2026-04-08 15:16:25 -05:00
parent 7adbafb848
commit 6b8395ffdb
2 changed files with 10 additions and 5 deletions
--- a/modules/nixos/services/nebula/sops.nix
+++ b/modules/nixos/services/nebula/sops.nix
@@ -17,6 +17,9 @@ let
    group = nebulaUser;
    restartUnits = [ nebulaUnit ];
  };
+
+  # CA cert/key are group-readable so nebula-ui (a group member) can access them
+  mkCaSecret = _key: (mkSecret _key) // { mode = "0440"; };
 in
 {
  config = mkIf cfg.enable {
@@ -32,7 +35,7 @@ in
    ];

    sops.secrets = {
-      "${cfg.secretsPrefix}/ca-cert" = mkSecret "ca-cert";
+      "${cfg.secretsPrefix}/ca-cert" = mkCaSecret "ca-cert";
      "${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert";
      "${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key";
    };