From 1d39967f91119e021fdd9074a2349b8ed66e7dd3 Mon Sep 17 00:00:00 2001
From: macronova <trivial@invariantspace.com>
Date: Sun, 1 Sep 2024 00:25:35 -0700
Subject: [PATCH] Fix secret permission

---
 linux/nebula/jellyfin.nix    |  6 +-----
 linux/singularity/caddy.nix  |  3 ++-
 linux/singularity/coturn.nix | 16 ++++++++++------
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/linux/nebula/jellyfin.nix b/linux/nebula/jellyfin.nix
index 4076f37..ec04780 100644
--- a/linux/nebula/jellyfin.nix
+++ b/linux/nebula/jellyfin.nix
@@ -1,8 +1,4 @@
-{
-  config,
-  pkgs,
-  ...
-}:
+{config, ...}:
 with config.constants; {
   hardware.graphics.enable = true;
 
diff --git a/linux/singularity/caddy.nix b/linux/singularity/caddy.nix
index 49d32d9..aa582df 100644
--- a/linux/singularity/caddy.nix
+++ b/linux/singularity/caddy.nix
@@ -7,6 +7,7 @@ with config.constants; {
   services.caddy = {
     enable = true;
     email = postMaster;
+    user = userName;
     virtualHosts = let
       acme = fqdns:
         builtins.listToAttrs (map (fqdn: {
@@ -21,10 +22,10 @@ with config.constants; {
             };
           })
           fqdns);
-      portStr = builtins.mapAttrs (n: v: toString v) port;
       homeSrv = s: "nebula:${portStr.${s}}";
       localSrv = s: "${localhost}:${portStr.${s}}";
       mtfqdn = "matrix.${domain}";
+      portStr = builtins.mapAttrs (n: v: toString v) port;
       wn = s: "/.well-known/${s}";
     in
       {
diff --git a/linux/singularity/coturn.nix b/linux/singularity/coturn.nix
index 2bb711c..567f8a6 100644
--- a/linux/singularity/coturn.nix
+++ b/linux/singularity/coturn.nix
@@ -1,8 +1,10 @@
-{config, ...}: {
-  services.coturn = with config.constants; let
-    acmeDir = config.security.acme.certs.${coturn-realm}.directory;
-    coturn-realm = "turn.${domain}";
-  in {
+{config, ...}:
+with config.constants; let
+  acmeDir = config.security.acme.certs.${coturn-realm}.directory;
+  coturn-realm = "turn.${domain}";
+  coturn-user = config.users.users.turnserver;
+in {
+  services.coturn = {
     enable = true;
     cert = "${acmeDir}/fullchain.pem";
     listening-port = port.coturn;
@@ -15,5 +17,7 @@
     use-auth-secret = true;
   };
 
-  sops.secrets.coturn = {};
+  users.users.${userName}.extraGroups = [coturn-user.group];
+  security.acme.certs.${coturn-realm}.group = coturn-user.group;
+  sops.secrets.coturn.owner = coturn-user.name;
 }