mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-16 05:28:15 +00:00
Code Activity

Support userborn

Browse source
This commit is contained in:
r-vdp 2024-08-31 18:59:45 +02:00 committed by mergify[bot]
parent 5db5921e40
commit d9d781523a
4 changed files with 39 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1721466660, "lastModified": 1725194671,
"narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=", "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100", "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github" "type": "github"
}, },
"original": { "original": {

13
modules/sops/default.nix
View file

@ -20,7 +20,8 @@ let
regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets; regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable; useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) ||
(options.services ? userborn && config.services.userborn.enable);
withEnvironment = import ./with-environment.nix { withEnvironment = import ./with-environment.nix {
inherit cfg lib; inherit cfg lib;
@ -231,13 +232,13 @@ in {
*WARNING* *WARNING*
Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary. Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary.
When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option
``` ```
swapDevices = [{ swapDevices = [{
device = "/dev/sdXY"; device = "/dev/sdXY";
randomEncryption.enable = true; randomEncryption.enable = true;
}]; }];
``` ```
''; '';
@ -323,7 +324,7 @@ in {
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg"); sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
# When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later. # When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later.
systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && sysusersEnabled) { systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
wantedBy = [ "sysinit.target" ]; wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ]; after = [ "systemd-sysusers.service" ];
environment = cfg.environment; environment = cfg.environment;
@ -337,7 +338,7 @@ in {
}; };
system.activationScripts = { system.activationScripts = {
setupSecrets = lib.mkIf (regularSecrets != {} && !sysusersEnabled) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' setupSecrets = lib.mkIf (regularSecrets != {} && !useSystemdActivation) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets... [ -e /run/current-system ] || echo setting up secrets...
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"} ${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) { '' // lib.optionalAttrs (config.system ? dryActivationScript) {

6
modules/sops/secrets-for-users/default.nix
View file

@ -14,9 +14,11 @@ let
symlinkPath = "/run/secrets-for-users"; symlinkPath = "/run/secrets-for-users";
}; };
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable; sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
useSystemdActivation = sysusersEnabled ||
(options.services ? userborn && config.services.userborn.enable);
in in
{ {
systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && sysusersEnabled) { systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && useSystemdActivation) {
wantedBy = [ "systemd-sysusers.service" ]; wantedBy = [ "systemd-sysusers.service" ];
before = [ "systemd-sysusers.service" ]; before = [ "systemd-sysusers.service" ];
environment = cfg.environment; environment = cfg.environment;
@ -29,7 +31,7 @@ in
}; };
}; };
system.activationScripts = lib.mkIf (secretsForUsers != { } && !sysusersEnabled) { system.activationScripts = lib.mkIf (secretsForUsers != { } && !useSystemdActivation) {
setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") '' setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets for users... [ -e /run/current-system ] || echo setting up secrets for users...
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"} ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}

29
pkgs/sops-install-secrets/nixos-test.nix
View file

@ -14,10 +14,17 @@ let
secrets."nested/test/file".owner = "example-user"; secrets."nested/test/file".owner = "example-user";
}; };
users.users.example-user = { users.users.example-user = lib.mkMerge [
isNormalUser = true; (lib.mkIf (! config.systemd.sysusers.enable) {
hashedPasswordFile = config.sops.secrets.test_key.path; isNormalUser = true;
}; hashedPasswordFile = config.sops.secrets.test_key.path;
})
(lib.mkIf config.systemd.sysusers.enable {
isSystemUser = true;
group = "users";
hashedPasswordFile = config.sops.secrets.test_key.path;
})
];
}; };
testScript = '' testScript = ''
@ -394,6 +401,20 @@ in {
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
# must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
});
} // lib.optionalAttrs (lib.versionAtLeast (lib.versions.majorMinor lib.version) "24.11") {
user-passwords-userborn = userPasswordTest "sops-user-passwords-userborn" ({ pkgs, ... }: {
services.userborn.enable = true;
users.mutableUsers = false;
system.etc.overlay.enable = true;
boot.initrd.systemd.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# must run before sops sets up keys # must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = '' systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt