Hardening

nixosModules/eko.nix

@@ -26,7 +26,8 @@
     ];
 
     # Allow grafana access to the sqlite db
-    systemd.services.eko.serviceConfig.StateDirectoryMode = lib.mkForce 0755;
+    users.users.eko.extraGroups = [ "grafana" ];
+    systemd.services.eko.serviceConfig.StateDirectoryMode = lib.mkForce 0750;
     systemd.services.grafana = {
       serviceConfig = {
         ProtectHome = lib.mkForce false;