mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-03-05 16:17:47 +00:00
Support userborn
This commit is contained in:
r-vdp
mergify[bot]
parent
5db5921e40
commit
d9d781523a
4 changed files with 39 additions and 15 deletions
6
flake.lock
generated
6
flake.lock
generated
|
|
@ -2,11 +2,11 @@
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1721466660,
|
"lastModified": 1725194671,
|
||||||
"narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=",
|
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100",
|
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,8 @@ let
|
||||||
|
|
||||||
regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;
|
regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;
|
||||||
|
|
||||||
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
|
useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) ||
|
||||||
|
(options.services ? userborn && config.services.userborn.enable);
|
||||||
|
|
||||||
withEnvironment = import ./with-environment.nix {
|
withEnvironment = import ./with-environment.nix {
|
||||||
inherit cfg lib;
|
inherit cfg lib;
|
||||||
|
|
@ -323,7 +324,7 @@ in {
|
||||||
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
|
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
|
||||||
|
|
||||||
# When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later.
|
# When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later.
|
||||||
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && sysusersEnabled) {
|
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
|
||||||
wantedBy = [ "sysinit.target" ];
|
wantedBy = [ "sysinit.target" ];
|
||||||
after = [ "systemd-sysusers.service" ];
|
after = [ "systemd-sysusers.service" ];
|
||||||
environment = cfg.environment;
|
environment = cfg.environment;
|
||||||
|
|
@ -337,7 +338,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
system.activationScripts = {
|
system.activationScripts = {
|
||||||
setupSecrets = lib.mkIf (regularSecrets != {} && !sysusersEnabled) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
|
setupSecrets = lib.mkIf (regularSecrets != {} && !useSystemdActivation) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
|
||||||
[ -e /run/current-system ] || echo setting up secrets...
|
[ -e /run/current-system ] || echo setting up secrets...
|
||||||
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
|
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
|
||||||
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
|
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
|
||||||
|
|
|
||||||
|
|
@ -14,9 +14,11 @@ let
|
||||||
symlinkPath = "/run/secrets-for-users";
|
symlinkPath = "/run/secrets-for-users";
|
||||||
};
|
};
|
||||||
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
|
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
|
||||||
|
useSystemdActivation = sysusersEnabled ||
|
||||||
|
(options.services ? userborn && config.services.userborn.enable);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && sysusersEnabled) {
|
systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && useSystemdActivation) {
|
||||||
wantedBy = [ "systemd-sysusers.service" ];
|
wantedBy = [ "systemd-sysusers.service" ];
|
||||||
before = [ "systemd-sysusers.service" ];
|
before = [ "systemd-sysusers.service" ];
|
||||||
environment = cfg.environment;
|
environment = cfg.environment;
|
||||||
|
|
@ -29,7 +31,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
system.activationScripts = lib.mkIf (secretsForUsers != { } && !sysusersEnabled) {
|
system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {
|
||||||
setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
|
setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
|
||||||
[ -e /run/current-system ] || echo setting up secrets for users...
|
[ -e /run/current-system ] || echo setting up secrets for users...
|
||||||
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
|
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
|
||||||
|
|
|
||||||
|
|
@ -14,10 +14,17 @@ let
|
||||||
secrets."nested/test/file".owner = "example-user";
|
secrets."nested/test/file".owner = "example-user";
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.example-user = {
|
users.users.example-user = lib.mkMerge [
|
||||||
|
(lib.mkIf (! config.systemd.sysusers.enable) {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
hashedPasswordFile = config.sops.secrets.test_key.path;
|
hashedPasswordFile = config.sops.secrets.test_key.path;
|
||||||
};
|
})
|
||||||
|
(lib.mkIf config.systemd.sysusers.enable {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "users";
|
||||||
|
hashedPasswordFile = config.sops.secrets.test_key.path;
|
||||||
|
})
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = ''
|
testScript = ''
|
||||||
|
|
@ -394,6 +401,20 @@ in {
|
||||||
boot.initrd.systemd.enable = true;
|
boot.initrd.systemd.enable = true;
|
||||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
|
# must run before sops sets up keys
|
||||||
|
systemd.services."sops-install-secrets-for-users".preStart = ''
|
||||||
|
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
|
||||||
|
chmod -R 700 /run/age-keys.txt
|
||||||
|
'';
|
||||||
|
});
|
||||||
|
} // lib.optionalAttrs (lib.versionAtLeast (lib.versions.majorMinor lib.version) "24.11") {
|
||||||
|
user-passwords-userborn = userPasswordTest "sops-user-passwords-userborn" ({ pkgs, ... }: {
|
||||||
|
services.userborn.enable = true;
|
||||||
|
users.mutableUsers = false;
|
||||||
|
system.etc.overlay.enable = true;
|
||||||
|
boot.initrd.systemd.enable = true;
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
# must run before sops sets up keys
|
# must run before sops sets up keys
|
||||||
systemd.services."sops-install-secrets-for-users".preStart = ''
|
systemd.services."sops-install-secrets-for-users".preStart = ''
|
||||||
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
|
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue