Currently, a secret must be accessible by the tsnsrv user or group (and there has to be a stable group) in order for tsnsrv to start. Something like the following in agenix:
However, systemd units can use LoadCredential= to make systemd make secret files available to them (and only them) in a private path. The source file doesn't need to have any permissions for any user (it can be mode 000 as far as I can tell).
That should be a no-op change for existing nixos module users and should allow the service to be hardened much better.
Currently, a secret must be accessible by the tsnsrv user or group (and there has to be a stable group) in order for tsnsrv to start. Something like the following in agenix:
However, systemd units can use
LoadCredential=
to make systemd make secret files available to them (and only them) in a private path. The source file doesn't need to have any permissions for any user (it can be mode 000 as far as I can tell).That should be a no-op change for existing nixos module users and should allow the service to be hardened much better.