From d9d781523a1463965cd1e1333a306e70d9feff07 Mon Sep 17 00:00:00 2001 From: r-vdp Date: Sat, 31 Aug 2024 18:59:45 +0200 Subject: [PATCH] Support userborn --- flake.lock | 6 ++--- modules/sops/default.nix | 13 +++++----- modules/sops/secrets-for-users/default.nix | 6 +++-- pkgs/sops-install-secrets/nixos-test.nix | 29 +++++++++++++++++++--- 4 files changed, 39 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 2c48663..b6afc0b 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1721466660, - "narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=", + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", "type": "github" }, "original": { diff --git a/modules/sops/default.nix b/modules/sops/default.nix index 277156f..e2d3824 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -20,7 +20,8 @@ let regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets; - sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable; + useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) || + (options.services ? userborn && config.services.userborn.enable); withEnvironment = import ./with-environment.nix { inherit cfg lib; @@ -231,13 +232,13 @@ in { *WARNING* Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary. - + When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option - + ``` swapDevices = [{ device = "/dev/sdXY"; - randomEncryption.enable = true; + randomEncryption.enable = true; }]; ``` ''; @@ -323,7 +324,7 @@ in { sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg"); # When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later. - systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && sysusersEnabled) { + systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) { wantedBy = [ "sysinit.target" ]; after = [ "systemd-sysusers.service" ]; environment = cfg.environment; @@ -337,7 +338,7 @@ in { }; system.activationScripts = { - setupSecrets = lib.mkIf (regularSecrets != {} && !sysusersEnabled) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' + setupSecrets = lib.mkIf (regularSecrets != {} && !useSystemdActivation) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' [ -e /run/current-system ] || echo setting up secrets... ${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"} '' // lib.optionalAttrs (config.system ? dryActivationScript) { diff --git a/modules/sops/secrets-for-users/default.nix b/modules/sops/secrets-for-users/default.nix index e49ec4e..bb65532 100644 --- a/modules/sops/secrets-for-users/default.nix +++ b/modules/sops/secrets-for-users/default.nix @@ -14,9 +14,11 @@ let symlinkPath = "/run/secrets-for-users"; }; sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable; + useSystemdActivation = sysusersEnabled || + (options.services ? userborn && config.services.userborn.enable); in { - systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && sysusersEnabled) { + systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && useSystemdActivation) { wantedBy = [ "systemd-sysusers.service" ]; before = [ "systemd-sysusers.service" ]; environment = cfg.environment; @@ -29,7 +31,7 @@ in }; }; - system.activationScripts = lib.mkIf (secretsForUsers != { } && !sysusersEnabled) { + system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) { setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' [ -e /run/current-system ] || echo setting up secrets for users... ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"} diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix index fecd463..0d9b0bd 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/pkgs/sops-install-secrets/nixos-test.nix @@ -14,10 +14,17 @@ let secrets."nested/test/file".owner = "example-user"; }; - users.users.example-user = { - isNormalUser = true; - hashedPasswordFile = config.sops.secrets.test_key.path; - }; + users.users.example-user = lib.mkMerge [ + (lib.mkIf (! config.systemd.sysusers.enable) { + isNormalUser = true; + hashedPasswordFile = config.sops.secrets.test_key.path; + }) + (lib.mkIf config.systemd.sysusers.enable { + isSystemUser = true; + group = "users"; + hashedPasswordFile = config.sops.secrets.test_key.path; + }) + ]; }; testScript = '' @@ -394,6 +401,20 @@ in { boot.initrd.systemd.enable = true; boot.kernelPackages = pkgs.linuxPackages_latest; + # must run before sops sets up keys + systemd.services."sops-install-secrets-for-users".preStart = '' + printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt + chmod -R 700 /run/age-keys.txt + ''; + }); +} // lib.optionalAttrs (lib.versionAtLeast (lib.versions.majorMinor lib.version) "24.11") { + user-passwords-userborn = userPasswordTest "sops-user-passwords-userborn" ({ pkgs, ... }: { + services.userborn.enable = true; + users.mutableUsers = false; + system.etc.overlay.enable = true; + boot.initrd.systemd.enable = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + # must run before sops sets up keys systemd.services."sops-install-secrets-for-users".preStart = '' printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt