From 87d8571d626c0380851524ad5ce5c80b65c5bf93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 17 Feb 2026 20:17:02 +0100
Subject: [PATCH] promtail: fix vault secret ownership for loki auth

The secret file needs to be owned by promtail since Promtail runs
as a dedicated user and can't read root-owned files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 system/monitoring/logs.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/system/monitoring/logs.nix b/system/monitoring/logs.nix
index d3fad59..6a21a62 100644
--- a/system/monitoring/logs.nix
+++ b/system/monitoring/logs.nix
@@ -21,6 +21,8 @@ in
   vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable {
     secretPath = "shared/loki/push-auth";
     extractKey = "password";
+    owner = "promtail";
+    group = "promtail";
     services = [ "promtail" ];
   };