Open Kreyren opened 1 month ago
In example configuration where you e.g. want to set an SSHD for an onion service, but don't want the people to know the onion url:
{ config, ... }: { age.secrets.SYSTEM-onion = { file = ./SYSTEM-onion.age; owner = "tor"; group = "tor"; mode = "0400"; path = "/var/lib/tor/SYSTEM-onion.conf"; }; # Make tor source the file services.tor.settings."%include" = config.age.secrets."pelagus-onion".path; }
with secret:
MapAddress SYSTEM.TLD somewhereinthedark.onion
will generate a symlink with root:root ownership:
root:root
lrwxrwxrwx 1 root root 25 May 26 22:10 pelagus-onion.conf -> /run/agenix/pelagus-onion
that causes tor to fail:
Adding symlink = false; or changing the symlink's permissions to tor:tor appears to fix the problem.
symlink = false;
tor:tor
Make the symlink carry out the permissions set in age.secret.SECRET.{owner,group,mode}
age.secret.SECRET.{owner,group,mode}
Wasted ~20 hours on this in development of https://github.com/kreyren/nixos-config for PELAGUS system on NixOS distribution.
In example configuration where you e.g. want to set an SSHD for an onion service, but don't want the people to know the onion url:
with secret:
will generate a symlink with
root:root
ownership:that causes tor to fail:
Adding
symlink = false;
or changing the symlink's permissions totor:tor
appears to fix the problem.Proposal
Make the symlink carry out the permissions set in
age.secret.SECRET.{owner,group,mode}
Relevants
Wasted ~20 hours on this in development of https://github.com/kreyren/nixos-config for PELAGUS system on NixOS distribution.