From f8ae3b58167eecfb26593820f2754c5c9eebc333 Mon Sep 17 00:00:00 2001
From: Jan Kremer <mail@jankremer.eu>
Date: Sat, 28 Mar 2026 14:05:02 +0100
Subject: [PATCH] Fix secret permissions

---
 modules/nixos/forgejo.nix   | 5 ++++-
 modules/nixos/navidrome.nix | 1 -
 modules/nixos/paperless.nix | 5 ++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/modules/nixos/forgejo.nix b/modules/nixos/forgejo.nix
index 69ee62d..0c5c0ed 100644
--- a/modules/nixos/forgejo.nix
+++ b/modules/nixos/forgejo.nix
@@ -7,7 +7,10 @@ in
     file = ../../modules/secrets/forgejo-mailer.age;
     owner = "forgejo";
   };
-  age.secrets.forgejo-runner.file = ../../modules/secrets/forgejo-runner.age;
+  age.secrets.forgejo-runner = {
+    file = ../../modules/secrets/forgejo-runner.age;
+    owner = "gitea-runner";
+  };
 
   services = {
     forgejo = {
diff --git a/modules/nixos/navidrome.nix b/modules/nixos/navidrome.nix
index 4b0515e..0cc13d6 100644
--- a/modules/nixos/navidrome.nix
+++ b/modules/nixos/navidrome.nix
@@ -18,7 +18,6 @@
           identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
           secrets."tailscale" = {
             file = ../secrets/tailscale.age;
-            mode = "400";
             owner = "tailscale";
           };
         };
diff --git a/modules/nixos/paperless.nix b/modules/nixos/paperless.nix
index 59f5cb8..47cc9be 100644
--- a/modules/nixos/paperless.nix
+++ b/modules/nixos/paperless.nix
@@ -1,6 +1,9 @@
 { config, ... }:
 {
-  age.secrets.paperless-admin.file = ../secrets/paperless-admin.age;
+  age.secrets.paperless-admin = {
+    file = ../secrets/paperless-admin.age;
+    owner = "paperless";
+  };
 
   services.paperless = {
     enable = true;