Add a keys group with read access to /run/keys

This allows processes running as unprivileged users access to keys they might need

3 files changed, 5 insertions, 1 deletions

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 51da1a2cfce0..5f8111eb986b 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -201,6 +201,7 @@
       openldap = 93;
       connman = 94;
       munin = 95;
+      keys = 96;
 
       # When adding a gid, make sure it doesn't match an existing uid.
 
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index e0ff258c0eec..b749172a3ff3 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -136,7 +136,8 @@ fi
 # elsehwere)
 if ! mountpoint -q /run/keys; then
     rm -rf /run/keys
-    mkdir -m 0700 /run/keys
+    mkdir -m 0750 /run/keys
+    chown root:keys /run/keys
     mount -t ramfs none /run/keys
 fi
 
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index b575deb24b7b..e0773c1fab42 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -645,6 +645,8 @@ in
       '';
 
     # Target for ‘charon send-keys’ to hook into.
+    users.extraGroups.keys.gid = config.ids.gids.keys;
+
     systemd.targets.keys =
       { description = "Security Keys";
       };