From e4ce37362d381efc38c0a6e1eea44056f6af5ba7 Mon Sep 17 00:00:00 2001
From: Caroline Larimore <caroline@larimo.re>
Date: Thu, 25 Jul 2024 12:28:20 -0700
Subject: copenhagen: Set /secret permissions on boot

---
 hosts/copenhagen/hardware-configuration.nix | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'hosts')

diff --git a/hosts/copenhagen/hardware-configuration.nix b/hosts/copenhagen/hardware-configuration.nix
index 853c51d..061700b 100644
--- a/hosts/copenhagen/hardware-configuration.nix
+++ b/hosts/copenhagen/hardware-configuration.nix
@@ -24,6 +24,10 @@
       postDeviceCommands = lib.mkAfter ''
         zfs rollback -r zpool/root@blank && zfs rollback -r zpool/home@blank
       '';
+
+      postMountCommands = lib.mkAfter ''
+        chmod u=rw,g=,o= /secrets
+      '';
     };
 
     kernelModules = [ "kvm-intel" ];
-- 
cgit v1.2.3