non-writable secrets

2024-05-09 17:26:55 +02:00 · 2024-05-09 17:26:55 +02:00 · 52690b3169
parent 5bfc0b0c7d
commit 52690b3169
4 changed files with 6 additions and 6 deletions
--- a/hosts/alpha/network.nix
+++ b/hosts/alpha/network.nix
@ -93,14 +93,14 @@
  age.secrets.wireguard-preshared-key-file = {
    file = "${secrets}/secrets/wireguard-preshared-key-file.age";
-    mode = "640";
+    mode = "440";
    owner = "root";
    group = "systemd-network";
  };
  age.secrets.wireguard-private-key-file-alpha = {
    file = "${secrets}/secrets/wireguard-private-key-file-alpha.age";
-    mode = "640";
+    mode = "440";
    owner = "root";
    group = "systemd-network";
  };
--- a/hosts/sigma/caddy.nix
+++ b/hosts/sigma/caddy.nix
@ -6,7 +6,7 @@
  age.secrets.caddy-auth-sigma = {
    file = "${secrets}/secrets/caddy-auth-sigma.age";
-    mode = "600";
+    mode = "400";
    owner = "caddy";
    group = "caddy";
  };
--- a/hosts/sigma/mail.nix
+++ b/hosts/sigma/mail.nix
@ -123,7 +123,7 @@
  age.secrets.mail-hashed-password-file = {
    file = "${secrets}/secrets/mail-hashed-password-file.age";
-    mode = "600";
+    mode = "400";
    owner = "root";
    group = "root";
  };
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@ -174,14 +174,14 @@
  age.secrets.wireguard-preshared-key-file = {
    file = "${secrets}/secrets/wireguard-preshared-key-file.age";
-    mode = "640";
+    mode = "440";
    owner = "root";
    group = "systemd-network";
  };
  age.secrets.wireguard-private-key-file-sigma = {
    file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
-    mode = "640";
+    mode = "440";
    owner = "root";
    group = "systemd-network";
  };