promtail: fix vault secret ownership for loki auth

The secret file needs to be owned by promtail since Promtail runs as a dedicated user and can't read root-owned files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 20:17:02 +01:00
parent 43c81f6688
commit 87d8571d62
1 changed files with 2 additions and 0 deletions
--- a/system/monitoring/logs.nix
+++ b/system/monitoring/logs.nix
@@ -21,6 +21,8 @@ in
  vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable {
    secretPath = "shared/loki/push-auth";
    extractKey = "password";
+    owner = "promtail";
+    group = "promtail";
    services = [ "promtail" ];
  };