mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-03-17 05:58:15 +00:00
37 lines
1.3 KiB
Nix
37 lines
1.3 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
let
|
|
cfg = config.sops;
|
|
secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
|
|
manifestFor = pkgs.callPackage ../manifest-for.nix {
|
|
inherit cfg;
|
|
inherit (pkgs) writeTextFile;
|
|
};
|
|
withEnvironment = import ../with-environment.nix {
|
|
inherit cfg lib;
|
|
};
|
|
manifestForUsers = manifestFor "-for-users" secretsForUsers {
|
|
secretsMountPoint = "/run/secrets-for-users.d";
|
|
symlinkPath = "/run/secrets-for-users";
|
|
};
|
|
in
|
|
{
|
|
system.activationScripts = lib.mkIf (secretsForUsers != {}) {
|
|
setupSecretsForUsers = lib.mkIf (secretsForUsers != {}) (lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
|
|
[ -e /run/current-system ] || echo setting up secrets for users...
|
|
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
|
|
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
|
|
supportsDryActivation = true;
|
|
});
|
|
|
|
users = lib.mkIf (secretsForUsers != {}) {
|
|
deps = [ "setupSecretsForUsers" ];
|
|
};
|
|
};
|
|
|
|
assertions = [{
|
|
assertion = (lib.filterAttrs (_: v: v.owner != "root" || v.group != "root") secretsForUsers) == {};
|
|
message = "neededForUsers cannot be used for secrets that are not root-owned";
|
|
}];
|
|
|
|
system.build.sops-nix-users-manifest = manifestForUsers;
|
|
}
|