Using sops-nix, NixOS stable 24.11. In secrets.yaml I have this section:
postgres:
admin_pass: ...
joplin_pass: ...
opengist_pass: ...
gitea_pass: ...
atuin_pass: ...
...etc...
Then in postgres.nix I have:
sops.secrets = {
"postgres/admin_pass" = { owner = config.users.users.postgres.name; };
"postgres/joplin_pass" = { owner = config.users.users.postgres.name; };
"postgres/opengist_pass" = { owner = config.users.users.postgres.name; };
"postgres/gitea_pass" = { owner = config.users.users.postgres.name; };
};
Everything was fine until I decided to auto-create/update roles/passwords. So I did:
while IFS= read -r -d "" file; do
####some processing
done < <(find /run/secrets/postgres -type f -print0)
However, although user postgress can read individual files, it can’t see the list of files in /run/secrets/postgres directory!
For now I just added this, but there surely must be a proper way do declare directory access rights in sops-nix?
systemd.tmpfiles.rules = [
"d /run/secrets.d/1/postgres 0550 postgres postgres - -"
];
Ideas?