add correct perms for hercules-ci secrets

author: seth <[email protected]> 2023-05-03 12:53:36 -0400
committer: seth <[email protected]> 2023-05-03 12:53:36 -0400
commit: f90b70fb3ca3b2da4752b93d29d1a5f8bf906273 (patch)
tree: 34c5af2d5266a796086de007cd0a3cb7bc241238 /hosts
parent: dd0f82a707e76fb7c32442b11bb6cda56e1d05d5 (diff)
1 files changed, 51 insertions, 9 deletions
diff --git a/hosts/default.nix b/hosts/default.nix
index 0aa47a3..789c320 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -89,14 +89,35 @@ in {
       (import "${self}/modules/server")
 
       {
-        age = {
+        age = let
+          hercArgs = {
+            mode = "400";
+            owner = "hercules-ci-agent";
+            group = "hercules-ci-agent";
+          };
+        in {
           identityPaths = ["/etc/age/key"];
           secrets = {
             rootPassword.file = "${self}/secrets/hosts/atlas/rootPassword.age";
-            atlasPassword.file = "${self}/secrets/hosts/atlas/atlasPassword.age";
-            binaryCache.file = "${self}/secrets/hosts/atlas/binaryCache.age";
-            clusterToken.file = "${self}/secrets/hosts/atlas/clusterToken.age";
-            secretsJson.file = "${self}/secrets/hosts/atlas/secretsJson.age";
+            atlasPassword.file = "${self}/secrets/hosts/atlas/pbodyPassword.age";
+
+            binaryCache =
+              {
+                file = "${self}/secrets/hosts/atlas/binaryCache.age";
+              }
+              // hercArgs;
+
+            clusterToken =
+              {
+                file = "${self}/secrets/hosts/atlas/clusterToken.age";
+              }
+              // hercArgs;
+
+            secretsJson =
+              {
+                file = "${self}/secrets/hosts/atlas/secretsJson.age";
+              }
+              // hercArgs;
           };
         };
 
@@ -124,14 +145,35 @@ in {
       (import "${self}/modules/server")
 
       {
-        age = {
+        age = let
+          hercArgs = {
+            mode = "400";
+            owner = "hercules-ci-agent";
+            group = "hercules-ci-agent";
+          };
+        in {
           identityPaths = ["/etc/age/key"];
           secrets = {
             rootPassword.file = "${self}/secrets/hosts/p-body/rootPassword.age";
             pbodyPassword.file = "${self}/secrets/hosts/p-body/pbodyPassword.age";
-            binaryCache.file = "${self}/secrets/hosts/p-body/binaryCache.age";
-            clusterToken.file = "${self}/secrets/hosts/p-body/clusterToken.age";
-            secretsJson.file = "${self}/secrets/hosts/p-body/secretsJson.age";
+
+            binaryCache =
+              {
+                file = "${self}/secrets/hosts/p-body/binaryCache.age";
+              }
+              // hercArgs;
+
+            clusterToken =
+              {
+                file = "${self}/secrets/hosts/p-body/clusterToken.age";
+              }
+              // hercArgs;
+
+            secretsJson =
+              {
+                file = "${self}/secrets/hosts/p-body/secretsJson.age";
+              }
+              // hercArgs;
           };
         };
author	seth <[email protected]>	2023-05-03 12:53:36 -0400
committer	seth <[email protected]>	2023-05-03 12:53:36 -0400
commit	f90b70fb3ca3b2da4752b93d29d1a5f8bf906273 (patch)
tree	34c5af2d5266a796086de007cd0a3cb7bc241238 /hosts
parent	dd0f82a707e76fb7c32442b11bb6cda56e1d05d5 (diff)