nebula

modules/nixos/services/nebula-ui/default.nix

@@ -68,14 +68,14 @@ let
         }
       ];
 
-      # ── SOPS secrets owned by the nebula-ui service user ───────────────────
+      # ── SOPS secrets ─────────────────────────────────────────────────────────
+      # ca-cert: already declared by the nebula module (owned by nebula-<network>,
+      # mode 0440). We only append restartUnits here; access is via group membership.
       sops.secrets."${cfg.caCertSecretKey}" = {
-        sopsFile = cfg.secretsFile;
-        owner = name;
-        group = name;
         restartUnits = [ "nebula-ui.service" ];
       };
 
+      # ca-key: only used by nebula-ui, so we own it outright.
       sops.secrets."${cfg.caKeySecretKey}" = {
         sopsFile = cfg.secretsFile;
         owner = name;
@@ -87,6 +87,8 @@ let
       users.users.${name} = {
         isSystemUser = true;
         group = name;
+        # Grant read access to the nebula CA secrets (owned by nebula-<network>)
+        extraGroups = [ "nebula-${cfg.networkName}" ];
         description = "Nebula UI service user";
       };
       users.groups.${name} = { };

modules/nixos/services/nebula/sops.nix

@@ -17,6 +17,9 @@ let
     group = nebulaUser;
     restartUnits = [ nebulaUnit ];
   };
+
+  # CA cert/key are group-readable so nebula-ui (a group member) can access them
+  mkCaSecret = _key: (mkSecret _key) // { mode = "0440"; };
 in
 {
   config = mkIf cfg.enable {
@@ -32,7 +35,7 @@ in
     ];
 
     sops.secrets = {
-      "${cfg.secretsPrefix}/ca-cert" = mkSecret "ca-cert";
+      "${cfg.secretsPrefix}/ca-cert" = mkCaSecret "ca-cert";
       "${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert";
       "${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key";
     };