nebula

2026-04-08 15:16:25 -05:00
parent 7adbafb848
commit 6b8395ffdb
2 changed files with 10 additions and 5 deletions
--- a/modules/nixos/services/nebula-ui/default.nix
+++ b/modules/nixos/services/nebula-ui/default.nix
@@ -68,14 +68,14 @@ let
        }
      ];

-      # ── SOPS secrets owned by the nebula-ui service user ───────────────────
+      # ── SOPS secrets ─────────────────────────────────────────────────────────
+      # ca-cert: already declared by the nebula module (owned by nebula-<network>,
+      # mode 0440). We only append restartUnits here; access is via group membership.
      sops.secrets."${cfg.caCertSecretKey}" = {
-        sopsFile = cfg.secretsFile;
-        owner = name;
-        group = name;
        restartUnits = [ "nebula-ui.service" ];
      };

+      # ca-key: only used by nebula-ui, so we own it outright.
      sops.secrets."${cfg.caKeySecretKey}" = {
        sopsFile = cfg.secretsFile;
        owner = name;
@@ -87,6 +87,8 @@ let
      users.users.${name} = {
        isSystemUser = true;
        group = name;
+        # Grant read access to the nebula CA secrets (owned by nebula-<network>)
+        extraGroups = [ "nebula-${cfg.networkName}" ];
        description = "Nebula UI service user";
      };
      users.groups.${name} = { };