From 52690b3169b1907e9040c9013b0939f49ca8467d Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Thu, 9 May 2024 17:26:55 +0200
Subject: [PATCH] non-writable secrets

---
 hosts/alpha/network.nix | 4 ++--
 hosts/sigma/caddy.nix   | 2 +-
 hosts/sigma/mail.nix    | 2 +-
 hosts/sigma/network.nix | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hosts/alpha/network.nix b/hosts/alpha/network.nix
index 475b37d..b582fcf 100644
--- a/hosts/alpha/network.nix
+++ b/hosts/alpha/network.nix
@@ -93,14 +93,14 @@
 
   age.secrets.wireguard-preshared-key-file = {
     file = "${secrets}/secrets/wireguard-preshared-key-file.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };
 
   age.secrets.wireguard-private-key-file-alpha = {
     file = "${secrets}/secrets/wireguard-private-key-file-alpha.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };
diff --git a/hosts/sigma/caddy.nix b/hosts/sigma/caddy.nix
index e6a4152..abc8a3a 100644
--- a/hosts/sigma/caddy.nix
+++ b/hosts/sigma/caddy.nix
@@ -6,7 +6,7 @@
 
   age.secrets.caddy-auth-sigma = {
     file = "${secrets}/secrets/caddy-auth-sigma.age";
-    mode = "600";
+    mode = "400";
     owner = "caddy";
     group = "caddy";
   };
diff --git a/hosts/sigma/mail.nix b/hosts/sigma/mail.nix
index 8193387..766a9d8 100644
--- a/hosts/sigma/mail.nix
+++ b/hosts/sigma/mail.nix
@@ -123,7 +123,7 @@
 
   age.secrets.mail-hashed-password-file = {
     file = "${secrets}/secrets/mail-hashed-password-file.age";
-    mode = "600";
+    mode = "400";
     owner = "root";
     group = "root";
   };
diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix
index 5222141..a3f598f 100644
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@@ -174,14 +174,14 @@
 
   age.secrets.wireguard-preshared-key-file = {
     file = "${secrets}/secrets/wireguard-preshared-key-file.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };
 
   age.secrets.wireguard-private-key-file-sigma = {
     file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
-    mode = "640";
+    mode = "440";
     owner = "root";
     group = "systemd-network";
   };