mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-05 16:17:47 +00:00
Code Activity

modules/sops/templates: support systemd activation

Browse source
This commit is contained in:
Lin Yinfeng 2024-09-11 16:19:07 +08:00 committed by mergify[bot]
parent 3176c11112
commit 127a96f49d
1 changed files with 39 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
modules/sops/templates/default.nix
View file

@ -6,6 +6,27 @@ let
cfg = config.sops; cfg = config.sops;
secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets; secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
users = config.users.users; users = config.users.users;
useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) ||
(options.services ? userborn && config.services.userborn.enable);
renderScript = ''
echo Setting up sops templates...
${concatMapStringsSep "\n" (name:
let
tpl = config.sops.templates.${name};
substitute = pkgs.writers.writePython3 "substitute" { }
(readFile ./subs.py);
subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n"
(name:
"${toString config.sops.placeholder.${name}} ${
config.sops.secrets.${name}.path
}") (attrNames config.sops.secrets));
in ''
mkdir -p "${dirOf tpl.path}"
(umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})
chmod "${tpl.mode}" "${tpl.path}"
chown "${tpl.owner}:${tpl.group}" "${tpl.path}"
'') (attrNames config.sops.templates)}
'';
in { in {
options.sops = { options.sops = {
templates = mkOption { templates = mkOption {
@ -84,26 +105,23 @@ in {
(name: _: mkDefault "<SOPS:${hashString "sha256" name}:PLACEHOLDER>") (name: _: mkDefault "<SOPS:${hashString "sha256" name}:PLACEHOLDER>")
config.sops.secrets; config.sops.secrets;
system.activationScripts.renderSecrets = mkIf (cfg.templates != { }) systemd.services.sops-render-secrets = let
(stringAfter ([ "setupSecrets" ] installServices = [ "sops-install-secrets.service" ] ++ optional (secretsForUsers != { }) "sops-install-secrets-for-users.service";
++ optional (secretsForUsers != { }) "setupSecretsForUsers") '' in lib.mkIf (cfg.templates != { } && useSystemdActivation) {
echo Setting up sops templates... wantedBy = [ "sysinit.target" ];
${concatMapStringsSep "\n" (name: requires = installServices;
let after = installServices;
tpl = config.sops.templates.${name}; unitConfig.DefaultDependencies = "no";
substitute = pkgs.writers.writePython3 "substitute" { }
(readFile ./subs.py); script = renderScript;
subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n" serviceConfig = {
(name: Type = "oneshot";
"${toString config.sops.placeholder.${name}} ${ RemainAfterExit = true;
config.sops.secrets.${name}.path };
}") (attrNames config.sops.secrets)); };
in ''
mkdir -p "${dirOf tpl.path}" system.activationScripts.renderSecrets = mkIf (cfg.templates != { } && !useSystemdActivation)
(umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path}) (stringAfter ([ "setupSecrets" ] ++ optional (secretsForUsers != { }) "setupSecretsForUsers")
chmod "${tpl.mode}" "${tpl.path}" renderScript);
chown "${tpl.owner}:${tpl.group}" "${tpl.path}"
'') (attrNames config.sops.templates)}
'');
}); });
} }