security: start setting permissions on secrets properly

2025-12-01 23:53:27 +01:00 · 2025-12-01 23:53:27 +01:00 · ad9862019c
commit ad9862019c
parent 01fb6d8ec9
11 changed files with 126 additions and 53 deletions
--- a/modules/server/factorio-server.nix
+++ b/modules/server/factorio-server.nix
@ -20,21 +20,25 @@
            inherit sopsFile;
          };
        };
-        templates."extraSettingsFile.json".content = ''
-          {
-            "name": "Pyanodons Holli",
-            "description": "Trying to run a factorio-headless-server on my nix system",
-            "tags": ["vanilla"],
-            "max_players": 10,
-            "game_password": "${config.sops.placeholder."factorio/game_password"}",
-            "allow_commands": "admins-only",
-            "autosave_slots": 5,
-            "ignore_player_limit_for_returning_players": true,
-            "username" : "${config.sops.placeholder."factorio/username"}",
-            "token": "${config.sops.placeholder."factorio/token"}"
-          }
-        '';
-        templates."extraSettingsFile.json".mode = "0444";
+        templates."extraSettingsFile.json" = {
+          content = ''
+            {
+              "name": "Pyanodons Holli",
+              "description": "Trying to run a factorio-headless-server on my nix system",
+              "tags": ["vanilla"],
+              "max_players": 10,
+              "game_password": "${config.sops.placeholder."factorio/game_password"}",
+              "allow_commands": "admins-only",
+              "autosave_slots": 5,
+              "ignore_player_limit_for_returning_players": true,
+              "username" : "${config.sops.placeholder."factorio/username"}",
+              "token": "${config.sops.placeholder."factorio/token"}"
+            }
+          '';
+          mode = "0400";
+          owner = "factorio";
+          group = "factorio";
+        };
      };

      systemd.tmpfiles.rules = [