2024-02-08 12:11:04 +00:00
|
|
|
{ writeTextFile, cfg }:
|
|
|
|
|
|
Do not render templates when decrypting `neededForUsers` secrets
This fixes https://github.com/Mic92/sops-nix/issues/659
In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:
1. When rendering `neededForUsers` secrets (if there are any
`neededForUsers` secrets).
2. When decrypting "regular" secrets.
This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:
1. When rendering `neededForUsers` secrets, we'd generate templates in
`/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
`/run/secrets/rendered`, which is not inside of the
`/run/secrets-for-users` directory we're dealing with, so we'd
generate a symlink from `/run/secrets/rendered/<foo>` to
`/run/secrets-for-users/rendered/<foo>`, which required making
the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
exist, or is a symlink, and you get the symptoms described in
<https://github.com/Mic92/sops-nix/issues/659>.
Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.
Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
2024-11-11 06:18:56 +00:00
|
|
|
suffix: secrets: templates: extraJson:
|
2024-02-08 12:11:04 +00:00
|
|
|
|
|
|
|
|
writeTextFile {
|
|
|
|
|
name = "manifest${suffix}.json";
|
2024-11-17 11:17:45 +00:00
|
|
|
text = builtins.toJSON (
|
|
|
|
|
{
|
|
|
|
|
secrets = builtins.attrValues secrets;
|
|
|
|
|
templates = builtins.attrValues templates;
|
|
|
|
|
# Does this need to be configurable?
|
|
|
|
|
secretsMountPoint = "/run/secrets.d";
|
|
|
|
|
symlinkPath = "/run/secrets";
|
|
|
|
|
keepGenerations = cfg.keepGenerations;
|
|
|
|
|
gnupgHome = cfg.gnupg.home;
|
|
|
|
|
sshKeyPaths = cfg.gnupg.sshKeyPaths;
|
|
|
|
|
ageKeyFile = cfg.age.keyFile;
|
|
|
|
|
ageSshKeyPaths = cfg.age.sshKeyPaths;
|
|
|
|
|
useTmpfs = cfg.useTmpfs;
|
|
|
|
|
placeholderBySecretName = cfg.placeholder;
|
|
|
|
|
userMode = false;
|
|
|
|
|
logging = {
|
|
|
|
|
keyImport = builtins.elem "keyImport" cfg.log;
|
|
|
|
|
secretChanges = builtins.elem "secretChanges" cfg.log;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
// extraJson
|
|
|
|
|
);
|
2024-02-08 12:11:04 +00:00
|
|
|
checkPhase = ''
|
2024-11-17 11:17:45 +00:00
|
|
|
${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${
|
|
|
|
|
if cfg.validateSopsFiles then "sopsfile" else "manifest"
|
|
|
|
|
} "$out"
|
2024-02-08 12:11:04 +00:00
|
|
|
'';
|
|
|
|
|
}
|
