From 55311dd6dd0393e455d2a507b27b7778f289ded8 Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Sun, 22 Mar 2026 15:48:35 +0100
Subject: fix(module): Provide access to the passed in secret

---
 module/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/module/default.nix b/module/default.nix
index dff15bb..4dcb17e 100644
--- a/module/default.nix
+++ b/module/default.nix
@@ -57,6 +57,13 @@ in {
         {
           StateDirectory = "rocie";
 
+          User = "rocie";
+          Group = "rocie";
+
+          ReadOnlyPaths = [
+            cfg.secretKeyFile
+          ];
+
           # Hardening
           LockPersonality = true;
           MemoryDenyWriteExecute = true;
-- 
cgit 1.4.1