fix(module): Provide access to the passed in secret

author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2026-03-22 15:48:35 +0100
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2026-03-22 15:48:35 +0100
commit: 55311dd6dd0393e455d2a507b27b7778f289ded8 (patch)
tree: 80165f38b0347ee5e24b6a2fa275dc8f44d8b93e
parent: fix(module): Correctly concat the systemd `ExecStart` command (diff)
download: nix-55311dd6dd0393e455d2a507b27b7778f289ded8.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/module/default.nix b/module/default.nix
index dff15bb..4dcb17e 100644
--- a/module/default.nix
+++ b/module/default.nix
@@ -57,6 +57,13 @@ in {
         {
           StateDirectory = "rocie";
 
+          User = "rocie";
+          Group = "rocie";
+
+          ReadOnlyPaths = [
+            cfg.secretKeyFile
+          ];
+
           # Hardening
           LockPersonality = true;
           MemoryDenyWriteExecute = true;
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2026-03-22 15:48:35 +0100
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2026-03-22 15:48:35 +0100
commit	55311dd6dd0393e455d2a507b27b7778f289ded8 (patch)
tree	80165f38b0347ee5e24b6a2fa275dc8f44d8b93e
parent	fix(module): Correctly concat the systemd `ExecStart` command (diff)
download	nix-55311dd6dd0393e455d2a507b27b7778f289ded8.zip