Hi Nix Devs, I'm currently implementing the deployment.keys approach to secure my web projects (php, node, ..). I've managed to have all keys exported to /run/keys but since the php process is running with the user:group nginx:nginx, it has no access to the /run/keys folder.
Adding extraGroups = [ "keys" ] to users.extraUsers.nginx fixes access to /run/keys. Each key has by default the user:group root:root and permission "0600". When adding the group = "keys" and permissions = "0640" to each key in deployment.keys everything works as expected. Is there a way to define a default group and permissions for all keys without me specifying this for each key individually? I'm currently well over 200 keys per machine so adding the group and permissions for each key is quite elaborate.. As a secondary question: Since I'm no security expert, I was wondering what the security impact is of making Nginx part of the keys group and allowing it read-access to /run/keys Kind regards, Eirk aka 4levels
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
