From d83c6a40ed10a2efc1952a163694ad6475e51869 Mon Sep 17 00:00:00 2001 From: Sumner Evans Date: Fri, 28 Apr 2023 14:16:52 -0600 Subject: [PATCH] doc: mention keys group Signed-off-by: Sumner Evans --- manual/src/features/keys.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/manual/src/features/keys.md b/manual/src/features/keys.md index e11db2e..393f7c7 100644 --- a/manual/src/features/keys.md +++ b/manual/src/features/keys.md @@ -34,6 +34,15 @@ To upload your secrets without performing a full deployment, use `colmena upload For each secret file deployed using `deployment.keys`, a systemd service with the name of `${name}-key.service` is created (`acme-credentials.secret-key.service` for the example above). This unit is only active when the corresponding file is present, allowing you to set up dependencies for services requiring secret files to function. +## Key Permissions + +The `/run/keys` directory is owned by the `keys` group. If you are using a +systemd service running as a non-root user, you will likely need to add: +``` +SupplementaryGroups = [ "keys" ]; +``` +to your service configuration. + ## Flakes If you are using flakes, Nix will copy the entire flake (everything tracked by git) into the Nix store during evaluation.