2024-11-17 12:17:45 +01:00
|
|
|
{
|
|
|
|
lib,
|
|
|
|
options,
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}:
|
2024-02-08 13:11:04 +01:00
|
|
|
let
|
|
|
|
cfg = config.sops;
|
|
|
|
secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
|
2024-11-17 12:17:45 +01:00
|
|
|
templatesForUsers = { }; # We do not currently support `neededForUsers` for templates.
|
2024-02-08 13:11:04 +01:00
|
|
|
manifestFor = pkgs.callPackage ../manifest-for.nix {
|
|
|
|
inherit cfg;
|
|
|
|
inherit (pkgs) writeTextFile;
|
|
|
|
};
|
|
|
|
withEnvironment = import ../with-environment.nix {
|
|
|
|
inherit cfg lib;
|
|
|
|
};
|
Do not render templates when decrypting `neededForUsers` secrets
This fixes https://github.com/Mic92/sops-nix/issues/659
In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:
1. When rendering `neededForUsers` secrets (if there are any
`neededForUsers` secrets).
2. When decrypting "regular" secrets.
This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:
1. When rendering `neededForUsers` secrets, we'd generate templates in
`/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
`/run/secrets/rendered`, which is not inside of the
`/run/secrets-for-users` directory we're dealing with, so we'd
generate a symlink from `/run/secrets/rendered/<foo>` to
`/run/secrets-for-users/rendered/<foo>`, which required making
the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
exist, or is a symlink, and you get the symptoms described in
<https://github.com/Mic92/sops-nix/issues/659>.
Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.
Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
2024-11-11 00:18:56 -06:00
|
|
|
manifestForUsers = manifestFor "-for-users" secretsForUsers templatesForUsers {
|
2024-02-08 13:11:04 +01:00
|
|
|
secretsMountPoint = "/run/secrets-for-users.d";
|
|
|
|
symlinkPath = "/run/secrets-for-users";
|
|
|
|
};
|
2024-02-08 14:47:26 +01:00
|
|
|
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
|
2024-11-17 12:17:45 +01:00
|
|
|
useSystemdActivation =
|
|
|
|
sysusersEnabled || (options.services ? userborn && config.services.userborn.enable);
|
2024-02-08 13:11:04 +01:00
|
|
|
in
|
|
|
|
{
|
2024-11-17 12:17:45 +01:00
|
|
|
systemd.services.sops-install-secrets-for-users =
|
|
|
|
lib.mkIf (secretsForUsers != { } && useSystemdActivation)
|
|
|
|
{
|
|
|
|
wantedBy = [ "systemd-sysusers.service" ];
|
|
|
|
before = [ "systemd-sysusers.service" ];
|
|
|
|
environment = cfg.environment;
|
|
|
|
unitConfig.DefaultDependencies = "no";
|
2024-02-08 14:47:26 +01:00
|
|
|
|
2024-11-17 12:17:45 +01:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
ExecStart = [ "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}" ];
|
|
|
|
RemainAfterExit = true;
|
|
|
|
};
|
|
|
|
};
|
2024-02-08 14:47:26 +01:00
|
|
|
|
2024-08-31 18:59:45 +02:00
|
|
|
system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {
|
2024-11-17 12:17:45 +01:00
|
|
|
setupSecretsForUsers =
|
|
|
|
lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
|
|
|
|
[ -e /run/current-system ] || echo setting up secrets for users...
|
|
|
|
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
|
|
|
|
''
|
|
|
|
// lib.optionalAttrs (config.system ? dryActivationScript) {
|
|
|
|
supportsDryActivation = true;
|
|
|
|
};
|
2024-02-08 14:47:26 +01:00
|
|
|
|
|
|
|
users.deps = [ "setupSecretsForUsers" ];
|
2024-02-08 13:11:04 +01:00
|
|
|
};
|
|
|
|
|
2024-11-17 12:17:45 +01:00
|
|
|
assertions = [
|
|
|
|
{
|
|
|
|
assertion =
|
|
|
|
(lib.filterAttrs (
|
|
|
|
_: v: (v.uid != 0 && v.owner != "root") || (v.gid != 0 && v.group != "root")
|
|
|
|
) secretsForUsers) == { };
|
|
|
|
message = "neededForUsers cannot be used for secrets that are not root-owned";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion = secretsForUsers != { } && sysusersEnabled -> config.users.mutableUsers;
|
|
|
|
message = ''
|
|
|
|
systemd.sysusers.enable in combination with sops.secrets.<name>.neededForUsers can only work with config.users.mutableUsers enabled.
|
|
|
|
See https://github.com/Mic92/sops-nix/issues/475
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
];
|
2024-02-08 13:11:04 +01:00
|
|
|
|
|
|
|
system.build.sops-nix-users-manifest = manifestForUsers;
|
|
|
|
}
|