1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-05 08:07:16 +00:00

Support userborn

This commit is contained in:
r-vdp 2024-08-31 18:59:45 +02:00 committed by mergify[bot]
parent 5db5921e40
commit d9d781523a
4 changed files with 39 additions and 15 deletions

6
flake.lock generated
View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1721466660, "lastModified": 1725194671,
"narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=", "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100", "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -20,7 +20,8 @@ let
regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets; regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable; useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) ||
(options.services ? userborn && config.services.userborn.enable);
withEnvironment = import ./with-environment.nix { withEnvironment = import ./with-environment.nix {
inherit cfg lib; inherit cfg lib;
@ -231,13 +232,13 @@ in {
*WARNING* *WARNING*
Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary. Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary.
When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option
``` ```
swapDevices = [{ swapDevices = [{
device = "/dev/sdXY"; device = "/dev/sdXY";
randomEncryption.enable = true; randomEncryption.enable = true;
}]; }];
``` ```
''; '';
@ -323,7 +324,7 @@ in {
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg"); sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
# When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later. # When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later.
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && sysusersEnabled) { systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
wantedBy = [ "sysinit.target" ]; wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ]; after = [ "systemd-sysusers.service" ];
environment = cfg.environment; environment = cfg.environment;
@ -337,7 +338,7 @@ in {
}; };
system.activationScripts = { system.activationScripts = {
setupSecrets = lib.mkIf (regularSecrets != {} && !sysusersEnabled) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' setupSecrets = lib.mkIf (regularSecrets != {} && !useSystemdActivation) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets... [ -e /run/current-system ] || echo setting up secrets...
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"} ${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) { '' // lib.optionalAttrs (config.system ? dryActivationScript) {

View file

@ -14,9 +14,11 @@ let
symlinkPath = "/run/secrets-for-users"; symlinkPath = "/run/secrets-for-users";
}; };
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable; sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
useSystemdActivation = sysusersEnabled ||
(options.services ? userborn && config.services.userborn.enable);
in in
{ {
systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && sysusersEnabled) { systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && useSystemdActivation) {
wantedBy = [ "systemd-sysusers.service" ]; wantedBy = [ "systemd-sysusers.service" ];
before = [ "systemd-sysusers.service" ]; before = [ "systemd-sysusers.service" ];
environment = cfg.environment; environment = cfg.environment;
@ -29,7 +31,7 @@ in
}; };
}; };
system.activationScripts = lib.mkIf (secretsForUsers != { } && !sysusersEnabled) { system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {
setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets for users... [ -e /run/current-system ] || echo setting up secrets for users...
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"} ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}

View file

@ -14,10 +14,17 @@ let
secrets."nested/test/file".owner = "example-user"; secrets."nested/test/file".owner = "example-user";
}; };
users.users.example-user = { users.users.example-user = lib.mkMerge [
isNormalUser = true; (lib.mkIf (! config.systemd.sysusers.enable) {
hashedPasswordFile = config.sops.secrets.test_key.path; isNormalUser = true;
}; hashedPasswordFile = config.sops.secrets.test_key.path;
})
(lib.mkIf config.systemd.sysusers.enable {
isSystemUser = true;
group = "users";
hashedPasswordFile = config.sops.secrets.test_key.path;
})
];
}; };
testScript = '' testScript = ''
@ -394,6 +401,20 @@ in {
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
# must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
});
} // lib.optionalAttrs (lib.versionAtLeast (lib.versions.majorMinor lib.version) "24.11") {
user-passwords-userborn = userPasswordTest "sops-user-passwords-userborn" ({ pkgs, ... }: {
services.userborn.enable = true;
users.mutableUsers = false;
system.etc.overlay.enable = true;
boot.initrd.systemd.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# must run before sops sets up keys # must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = '' systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt