From 0a30dbdfabf3ab482f6b7d3e063f26536ce6d642 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Sun, 12 Nov 2023 18:19:07 +0100
Subject: [PATCH] chore: set correct permissions for secrets

---
 hosts/pie/backup.nix                 | 4 ++--
 hosts/pie/firefly.nix                | 8 ++++----
 hosts/pie/invoiceplane.nix           | 4 ++--
 hosts/pie/paperless.nix              | 4 ++--
 users/b12f/concepts-and-training.nix | 4 ++--
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/hosts/pie/backup.nix b/hosts/pie/backup.nix
index cc600e6..b962929 100644
--- a/hosts/pie/backup.nix
+++ b/hosts/pie/backup.nix
@@ -11,11 +11,11 @@ in {
   age.secrets."rclone-pie.conf" = {
     file = "${flake.self}/secrets/rclone-pie.conf.age";
     path = "/root/.config/rclone/rclone.conf";
-    mode = "600";
+    mode = "400";
   };
 
   age.secrets."restic-password" = {
     file = "${flake.self}/secrets/restic-password.age";
-    mode = "600";
+    mode = "400";
   };
 }
diff --git a/hosts/pie/firefly.nix b/hosts/pie/firefly.nix
index 9f9af64..923405a 100644
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@@ -11,22 +11,22 @@
 in {
   age.secrets."firefly-secrets.env" = {
     file = "${flake.self}/secrets/firefly-secrets.env.age";
-    mode = "600";
+    mode = "400";
   };
 
   age.secrets."firefly-db-secrets.env" = {
     file = "${flake.self}/secrets/firefly-db-secrets.env.age";
-    mode = "600";
+    mode = "400";
   };
 
   age.secrets."firefly-importer-secrets.env" = {
     file = "${flake.self}/secrets/firefly-importer-secrets.env.age";
-    mode = "600";
+    mode = "400";
   };
 
   age.secrets."firefly-cron-secrets.env" = {
     file = "${flake.self}/secrets/firefly-cron-secrets.env.age";
-    mode = "600";
+    mode = "400";
   };
 
   services.caddy = {
diff --git a/hosts/pie/invoiceplane.nix b/hosts/pie/invoiceplane.nix
index 4755df6..97890de 100644
--- a/hosts/pie/invoiceplane.nix
+++ b/hosts/pie/invoiceplane.nix
@@ -11,13 +11,13 @@
 in {
   age.secrets."invoiceplane-db-password" = {
     file = "${flake.self}/secrets/invoiceplane-db-password.age";
-    mode = "600";
+    mode = "400";
     owner = "invoiceplane";
   };
 
   age.secrets."invoiceplane-db-secrets.env" = {
     file = "${flake.self}/secrets/invoiceplane-db-secrets.env.age";
-    mode = "600";
+    mode = "400";
   };
 
   services.invoiceplane.sites."invoicing.b12f.io" = {
diff --git a/hosts/pie/paperless.nix b/hosts/pie/paperless.nix
index 60bb61e..5b17cdc 100644
--- a/hosts/pie/paperless.nix
+++ b/hosts/pie/paperless.nix
@@ -64,12 +64,12 @@ in {
   age.secrets."rclone-pie.conf" = {
     file = "${flake.self}/secrets/rclone-pie.conf.age";
     path = "/root/.config/rclone/rclone.conf";
-    mode = "600";
+    mode = "400";
   };
 
   age.secrets."restic-password" = {
     file = "${flake.self}/secrets/restic-password.age";
-    mode = "600";
+    mode = "400";
   };
 
   services.restic.backups = {
diff --git a/users/b12f/concepts-and-training.nix b/users/b12f/concepts-and-training.nix
index f0e245a..65b80cc 100644
--- a/users/b12f/concepts-and-training.nix
+++ b/users/b12f/concepts-and-training.nix
@@ -11,13 +11,13 @@ with lib; let
 in {
   age.secrets."cat-test.ovpn" = {
     file = "${flake.self}/secrets/cat-test.ovpn.age";
-    mode = "700";
+    mode = "400";
     owner = psCfg.user.name;
   };
 
   age.secrets.".fwknoprc" = {
     file = "${flake.self}/secrets/.fwknoprc.age";
-    mode = "600";
+    mode = "400";
   };
 
   services.openvpn.servers = {