commit 3637b8aa1063963ea91fa2cf9cb8813c62e231d3
author Skyler Grey <sky@a.starrysky.fyi> Fri Aug 02 19:01:48 2024 +0000
committer Skyler Grey <minion@clicks.codes> Fri Aug 02 19:46:49 2024 +0000
tree b7cd44a72797d874610d9793c0f6a445c42f1933
parent 2b74eede40bca050694f7731207c16b8c5c3ba79

fix(secrets): Default secret permissions to 0440

The default age permissions for secrets block the "group" from accessing
the secret, making that option useless without additionally specifying a
mode

This fixes that issue

Change-Id: I10a49b4c82bab32696d5508c02e31b8782021238
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/807
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Skyler Grey <minion@clicks.codes>

modules/nixos/clicks/security/secrets/groupPerms/default.nix

diff --git a/modules/nixos/clicks/security/secrets/groupPerms/default.nix b/modules/nixos/clicks/security/secrets/groupPerms/default.nix
new file mode 100644
index 0000000..1f176ac
--- /dev/null
+++ b/modules/nixos/clicks/security/secrets/groupPerms/default.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }: {
+  options.clicks.security.secrets.groupPerms.enable = lib.mkOption {
+    description = ''
+      Enable setting permissions for age secrets to 0440 rather than 0400 by
+      default, allowing group access
+
+      The default age permissions for secrets block the "group" from accessing
+      the secret, making that option useless without additionally specifying a
+      mode
+      '';
+    type = lib.types.bool;
+    default = config.clicks.security.secrets.enable;
+  };
+
+  options.age = {
+    secrets = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule (submodule: {
+        config = {
+          mode = lib.pipe "0440" [
+            (lib.mkOverride 999)
+            (lib.mkIf config.clicks.security.secrets.groupPerms.enable)
+          ];
+        };
+      }));
+    };
+  };
+}

systems/x86_64-linux/teal/default.nix

diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index 0bd7bd4..4cceeca 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -294,21 +294,17 @@
   age.secrets."clicks.services.headscale.oidc.client_secret_path" = {
     rekeyFile = ./clicks.services.headscale.oidc.client_secret_path.age;
     group = "headscale";
-    mode = "440";
   };
   age.secrets."clicks.services.headscale.database_password_path" = {
     rekeyFile = ./clicks.services.headscale.database_password_path.age;
     group = "headscale";
-    mode = "440";
   };
   age.secrets."clicks.services.headscale.noise_private_key_path" = {
     rekeyFile = ./clicks.services.headscale.noise_private_key_path.age;
     group = "headscale";
-    mode = "440";
   };
   age.secrets."clicks.services.headscale.private_key_path" = {
     rekeyFile = ./clicks.services.headscale.private_key_path.age;
     group = "headscale";
-    mode = "440";
   };
 }