sops-nix/modules/nix-darwin/secrets-for-users/default.nix

{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.sops;
  secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
  templatesForUsers = { }; # We do not currently support `neededForUsers` for templates.
  manifestFor = pkgs.callPackage ../manifest-for.nix {
    inherit cfg;
    inherit (pkgs) writeTextFile;
  };
  withEnvironment = import ../with-environment.nix {
    inherit cfg lib;
  };
  manifestForUsers = manifestFor "-for-users" secretsForUsers templatesForUsers {
    secretsMountPoint = "/run/secrets-for-users.d";
    symlinkPath = "/run/secrets-for-users";
  };

  installScript = ''
    echo "Setting up secrets for users"
    ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
  '';
in
{

  assertions = [
    {
      assertion =
        (lib.filterAttrs (
          _: v: (v.uid != 0 && v.owner != "root") || (v.gid != 0 && v.group != "root")
        ) secretsForUsers) == { };
      message = "neededForUsers cannot be used for secrets that are not root-owned";
    }
  ];

  system.activationScripts = lib.mkIf (secretsForUsers != [ ]) {
    postActivation.text = lib.mkAfter installScript;
  };

  launchd.daemons.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != [ ]) {
    command = installScript;
    serviceConfig = {
      RunAtLoad = true;
      KeepAlive = false;
    };
  };

  system.build.sops-nix-users-manifest = manifestForUsers;
}
reformat code base with nixfmt 2024-11-17 12:17:45 +01:00			`{`
			`lib,`
			`config,`
			`pkgs,`
			`...`
			`}:`
Implement darwin module for sops-nix 2024-11-03 19:51:58 +00:00			`let`
			`cfg = config.sops;`
			`secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;`
reformat code base with nixfmt 2024-11-17 12:17:45 +01:00			templatesForUsers = { }; # We do not currently support `neededForUsers` for templates.
Implement darwin module for sops-nix 2024-11-03 19:51:58 +00:00			`manifestFor = pkgs.callPackage ../manifest-for.nix {`
			`inherit cfg;`
			`inherit (pkgs) writeTextFile;`
			`};`
			`withEnvironment = import ../with-environment.nix {`
			`inherit cfg lib;`
			`};`
nix-darwin: fix evaluation with templates 2024-11-17 11:35:23 +01:00			`manifestForUsers = manifestFor "-for-users" secretsForUsers templatesForUsers {`
Implement darwin module for sops-nix 2024-11-03 19:51:58 +00:00			`secretsMountPoint = "/run/secrets-for-users.d";`
			`symlinkPath = "/run/secrets-for-users";`
			`};`

			`installScript = ''`
			`echo "Setting up secrets for users"`
			`${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}`
			`'';`
			`in`
			`{`

reformat code base with nixfmt 2024-11-17 12:17:45 +01:00			`assertions = [`
			`{`
			`assertion =`
			`(lib.filterAttrs (`
			`_: v: (v.uid != 0 && v.owner != "root") \|\| (v.gid != 0 && v.group != "root")`
			`) secretsForUsers) == { };`
			`message = "neededForUsers cannot be used for secrets that are not root-owned";`
			`}`
			`];`
Implement darwin module for sops-nix 2024-11-03 19:51:58 +00:00
reformat code base with nixfmt 2024-11-17 12:17:45 +01:00			`system.activationScripts = lib.mkIf (secretsForUsers != [ ]) {`
Implement darwin module for sops-nix 2024-11-03 19:51:58 +00:00			`postActivation.text = lib.mkAfter installScript;`
			`};`

reformat code base with nixfmt 2024-11-17 12:17:45 +01:00			`launchd.daemons.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != [ ]) {`
Implement darwin module for sops-nix 2024-11-03 19:51:58 +00:00			`command = installScript;`
			`serviceConfig = {`
			`RunAtLoad = true;`
			`KeepAlive = false;`
			`};`
			`};`

			`system.build.sops-nix-users-manifest = manifestForUsers;`
			`}`