Elegant way to grant filesystem permissions to services

Dear lazy-web,

As part of enforcing minimum privilege I’m trying to find an elegant way to share files with systemd services, especially DynamicUser=-enabled ones. The core conflict stems from the fact that UID/GID are not known until the service is run. There are at least two use cases:

  1. Secrets. Here, something like LoadCredential= could be used in the cases where the data can be referenced via env vars or cmdline flags. Other cases, such as a config file that specifies a literal path, need hackery where the config file is generated at runtime.
  2. Generic, pre-existing files. Easiest example are device files. They need to be made accessible in-place.

I’m looking for some “scalable” approach that can handle both. Ideally with support for POSIX ACLs, to preempt combinatorial explosions of groups to be created.

My current solution looks like this:

  users.groups.alertmanager-secret-access = { };

  sops.secrets.pw = {
    group = config.users.groups.alertmanager-secret-access.name;
    mode = "0440";
  };

  systemd.services.alertmanager.serviceConfig.SupplementaryGroups = [ config.users.groups.alertmanager-secret-access.name ];

  services.prometheus.alertmanager.configuration.global.smtp_auth_password_file = config.sops.secrets.pw.path;

(Yes, I know alertmanager actually implements a workaround with envsubst, please ignore this for the sake of argument.)

It works but is error-prone, hard use as a single construct, and doesn’t do ACLs (both due to sops-nix but also due to needing to mess with ExecStartPre=, presumably).

So, ultimately my question is, how have you solved this problem? Is there some nixpkgs functionality I missed? Some flake? A design pattern?