fix /etc/secrets.d permissions

pkgs/sops-install-secrets/main.go

@@ -146,14 +146,15 @@ func mountSecretFs(mountpoint string, keysGid int) error {
 	if err := os.MkdirAll(mountpoint, 0750); err != nil {
 		return fmt.Errorf("Cannot create directory '%s': %s", mountpoint, err)
 	}
-	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
-		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
-	}
 
 	if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil {
 		return fmt.Errorf("Cannot mount: %s", err)
 	}
 
+	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
+		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
+	}
+
 	return nil
 }
 

pkgs/sops-install-secrets/nixos-test.nix

@@ -28,7 +28,7 @@
      imports = [ ../../modules/sops ];
       sops.gnupgHome = "/run/gpghome";
       sops.defaultSopsFile = ./test-assets/secrets.yaml;
-      sops.secrets.test_key = {};
+      sops.secrets.test_key.owner = "nobody";
       # must run before sops
       system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
         cp -r ${./test-assets/gnupghome} /run/gpghome
@@ -45,6 +45,9 @@
    testScript = ''
      start_all()
      server.succeed("cat /run/secrets/test_key | grep -q test_value")
+     server.succeed("runuser -u nobody -G keys -- cat /run/secrets/test_key >&2")
+     # should have no permission to read the file
+     server.fail("runuser -u nobody -- cat /run/secrets/test_key >&2")
    '';
  } {
    inherit pkgs;