Fix secret permission

linux/nebula/jellyfin.nix

@@ -1,8 +1,4 @@
-{
+{config, ...}:
-  config,
-  pkgs,
-  ...
-}:
 with config.constants; {
   hardware.graphics.enable = true;
 

linux/singularity/caddy.nix

@@ -7,6 +7,7 @@ with config.constants; {
   services.caddy = {
     enable = true;
     email = postMaster;
+    user = userName;
     virtualHosts = let
       acme = fqdns:
         builtins.listToAttrs (map (fqdn: {
@@ -21,10 +22,10 @@ with config.constants; {
             };
           })
           fqdns);
-      portStr = builtins.mapAttrs (n: v: toString v) port;
       homeSrv = s: "nebula:${portStr.${s}}";
       localSrv = s: "${localhost}:${portStr.${s}}";
       mtfqdn = "matrix.${domain}";
+      portStr = builtins.mapAttrs (n: v: toString v) port;
       wn = s: "/.well-known/${s}";
     in
       {

linux/singularity/coturn.nix

@@ -1,8 +1,10 @@
-{config, ...}: {
+{config, ...}:
-  services.coturn = with config.constants; let
+with config.constants; let
-    acmeDir = config.security.acme.certs.${coturn-realm}.directory;
+  acmeDir = config.security.acme.certs.${coturn-realm}.directory;
-    coturn-realm = "turn.${domain}";
+  coturn-realm = "turn.${domain}";
-  in {
+  coturn-user = config.users.users.turnserver;
+in {
+  services.coturn = {
     enable = true;
     cert = "${acmeDir}/fullchain.pem";
     listening-port = port.coturn;
@@ -15,5 +17,7 @@
     use-auth-secret = true;
   };
 
-  sops.secrets.coturn = {};
+  users.users.${userName}.extraGroups = [coturn-user.group];
+  security.acme.certs.${coturn-realm}.group = coturn-user.group;
+  sops.secrets.coturn.owner = coturn-user.name;
 }