hosts/plover: update Bind secrets permission

2025-04-19 00:19:11 +00:00 · 2023-06-29 09:46:35 +08:00 · 2023-06-29 09:46:35 +08:00 · 9c3d3901ab
commit 9c3d3901ab
parent a8aef35c5c
1 changed files with 8 additions and 9 deletions
--- a/hosts/plover/modules/services/bind.nix
+++ b/hosts/plover/modules/services/bind.nix
@ -14,8 +14,6 @@ let
    (lib.attrValues secondaryNameServers);
  secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
  serviceUser = config.users.users.named.name;
  domainZone = pkgs.substituteAll {
    src = ../../config/dns/${domain}.zone;
    ploverWANIPv4 = interfaces.wan.IPv4.address;
@ -67,16 +65,17 @@ in
              "plover/${secret}"
              ((getKey secret) // config))
          secrets;
      dnsFileAttribute = {
        owner = config.users.users.named.name;
        group = config.users.users.named.group;
        mode = "0400";
      };
    in
    getSecrets {
-      "dns/${domain}/mailbox-security-key" = { };
+      "dns/${domain}/mailbox-security-key" = dnsFileAttribute;
-      "dns/${domain}/mailbox-security-key-record" = { };
+      "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
-
+      "dns/${domain}/rfc2136-key" = dnsFileAttribute // {
      "dns/${domain}/rfc2136-key" = {
        owner = serviceUser;
        group = "root";
        reloadUnits = [ "bind.service" ];
        mode = "0400";
      };
    };