claude'd better security things
This commit is contained in:
12
zfs.nix
12
zfs.nix
@@ -1,4 +1,5 @@
|
||||
{
|
||||
config,
|
||||
service_configs,
|
||||
pkgs,
|
||||
...
|
||||
@@ -10,13 +11,14 @@ let
|
||||
in
|
||||
{
|
||||
system.activationScripts = {
|
||||
# TODO! replace with proper secrets management
|
||||
# Copy decrypted ZFS key from agenix to expected location
|
||||
# /etc is on tmpfs due to impermanence, so no persistent storage risk
|
||||
"zfs-key".text = ''
|
||||
#!/bin/sh
|
||||
rm -fr ${zfs-key} || true
|
||||
cp ${./secrets/zfs-key} ${zfs-key}
|
||||
chmod 0500 ${zfs-key}
|
||||
chown root:wheel ${zfs-key}
|
||||
rm -f ${zfs-key} || true
|
||||
cp ${config.age.secrets.zfs-key.path} ${zfs-key}
|
||||
chmod 0400 ${zfs-key}
|
||||
chown root:root ${zfs-key}
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user