services: fix permission

2026-01-12 04:39:23 +08:00 · 2024-05-04 16:33:16 +08:00
parent 4e82ca7811
commit 1d295d2cbb
3 changed files with 32 additions and 10 deletions
--- a/modules/services/hpcstat.nix
+++ b/modules/services/hpcstat.nix
@@ -66,11 +66,26 @@ inputs:
      };
      tmpfiles.rules = [ "d /var/lib/hpcstat 0700 hpcstat hpcstat" ];
    };
-    sops.secrets = { "telegram/token" = {}; "telegram/chat" = {}; "hpcstat/key" = {}; };
+    sops.secrets =
+    {
+      "telegram/token" = { group = "telegram"; mode = "0440"; };
+      "telegram/chat" = { group = "telegram"; mode = "0440"; };
+      "hpcstat/key" = { owner = "hpcstat"; group = "hpcstat"; };
+    };
    users =
    {
-      users.hpcstat = { uid = inputs.config.nixos.user.uid.hpcstat; group = "hpcstat"; isSystemUser = true; };
-      groups.hpcstat.gid = inputs.config.nixos.user.gid.hpcstat;
+      users.hpcstat =
+      {
+        uid = inputs.config.nixos.user.uid.hpcstat;
+        group = "hpcstat";
+        extraGroups = [ "telegram" ];
+        isSystemUser = true;
+      };
+      groups =
+      {
+        hpcstat.gid = inputs.config.nixos.user.gid.hpcstat;
+        telegram.gid = inputs.config.nixos.user.gid.telegram;
+      };
    };
  };
 }
--- a/modules/services/xray.nix
+++ b/modules/services/xray.nix
@@ -442,11 +442,7 @@ inputs:
          secrets = builtins.listToAttrs
            (map (n: { name = "xray-server/clients/user${toString n}"; value = {}; }) userList)
            // (builtins.listToAttrs (map
-              (name:
-              {
-                name = "telegram/${name}";
-                value = (let user = inputs.config.users.users.v2ray; in { owner = user.name; inherit (user) group; });
-              })
+              (name: { name = "telegram/${name}"; value = { group = "telegram"; mode = "0440"; }; })
              [ "token" "chat" ]))
            // { "xray-server/private-key" = {}; };
        };
@@ -509,8 +505,18 @@ inputs:
        };
        users =
        {
-          users.v2ray = { uid = inputs.config.nixos.user.uid.v2ray; group = "v2ray"; isSystemUser = true; };
-          groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
+          users.v2ray =
+          {
+            uid = inputs.config.nixos.user.uid.v2ray;
+            group = "v2ray";
+            extraGroups = [ "telegram" ];
+            isSystemUser = true;
+          };
+          groups =
+          {
+            v2ray.gid = inputs.config.nixos.user.gid.v2ray;
+            telegram.gid = inputs.config.nixos.user.gid.telegram;
+          };
        };
        nixos.services =
        {
--- a/modules/user/default.nix
+++ b/modules/user/default.nix
@@ -39,6 +39,7 @@ inputs:
      default = inputs.config.nixos.user.uid //
      {
        groupshare = 3000;
+        telegram = 3001;
      };
    };
  };