This commit is contained in:
Harivansh Rathi 2026-03-30 21:13:10 -04:00
parent f38c272269
commit 1dc4ed5f1a
20 changed files with 349 additions and 112 deletions

26
home/security.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}:
{
home.activation.secretPermissions = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
if [ -d "${config.home.homeDirectory}/.ssh" ]; then
$DRY_RUN_CMD chmod 700 "${config.home.homeDirectory}/.ssh"
for f in "${config.home.homeDirectory}/.ssh/"*; do
[ -f "$f" ] || continue
[ -L "$f" ] && continue
case "$f" in
*.pub|*/known_hosts|*/known_hosts.old)
$DRY_RUN_CMD chmod 644 "$f" ;;
*)
$DRY_RUN_CMD chmod 600 "$f" ;;
esac
done
fi
if [ -d "${config.home.homeDirectory}/.gnupg" ]; then
$DRY_RUN_CMD find "${config.home.homeDirectory}/.gnupg" -type d -exec chmod 700 {} +
$DRY_RUN_CMD find "${config.home.homeDirectory}/.gnupg" -type f -exec chmod 600 {} +
fi
'';
}