From f0b4b627cc99dbba6b357a6ee16c5da15b38feae Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Thu, 29 Aug 2024 23:10:22 +0200
Subject: [PATCH] Fix secret permissions in nextcloud container

---
 hosts/stratus/containers/nextcloud/default.nix      | 3 +--
 hosts/stratus/containers/nextcloud/email-server.nix | 2 +-
 hosts/stratus/containers/nextcloud/nextcloud.nix    | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/hosts/stratus/containers/nextcloud/default.nix b/hosts/stratus/containers/nextcloud/default.nix
index d7716e9..0c95691 100644
--- a/hosts/stratus/containers/nextcloud/default.nix
+++ b/hosts/stratus/containers/nextcloud/default.nix
@@ -10,8 +10,7 @@
     autoStart = true;
     ephemeral = true;
     bindMounts = {
-      "/run/secrets/nextcloud/admin-password" = { };
-      "/run/secrets/nextcloud/gmail-password" = { };
+      "/run/secrets/nextcloud".isReadOnly = false;
       "/run/secrets/tailscale-auth-key" = { };
       "/data/nextcloud".isReadOnly = false;
       "/data/postgresql".isReadOnly = false;
diff --git a/hosts/stratus/containers/nextcloud/email-server.nix b/hosts/stratus/containers/nextcloud/email-server.nix
index d3f21e0..c79dc30 100644
--- a/hosts/stratus/containers/nextcloud/email-server.nix
+++ b/hosts/stratus/containers/nextcloud/email-server.nix
@@ -1,5 +1,5 @@
 {
-  systemd.tmpfiles.rules = [ "d /run/secrets/nextcloud/gmail-password 400 nextcloud nextcloud -" ];
+  systemd.tmpfiles.rules = [ "z /run/secrets/nextcloud/gmail-password 400 nextcloud nextcloud -" ];
 
   services.nextcloud.settings = {
     mail_smtpmode = "sendmail";
diff --git a/hosts/stratus/containers/nextcloud/nextcloud.nix b/hosts/stratus/containers/nextcloud/nextcloud.nix
index 2763ed1..8294370 100644
--- a/hosts/stratus/containers/nextcloud/nextcloud.nix
+++ b/hosts/stratus/containers/nextcloud/nextcloud.nix
@@ -4,7 +4,7 @@
   ...
 }:
 {
-  systemd.tmpfiles.rules = [ "d /run/secrets/nextcloud/admin-password 400 nextcloud nextcloud -" ];
+  systemd.tmpfiles.rules = [ "z /run/secrets/nextcloud/admin-password 400 nextcloud nextcloud -" ];
 
   services.postgresql.dataDir = "/data/postgresql";