1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-17 05:58:15 +00:00
sops-nix/modules/sops/secrets-for-users/default.nix
Jörg Thalheim 00071af896 move secrets-fo-users to it's own module
This preparation to support sysusers.
No behavior change.
2024-02-08 12:26:52 +00:00

37 lines
1.3 KiB
Nix

{ lib, config, pkgs, ... }:
let
cfg = config.sops;
secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
manifestFor = pkgs.callPackage ../manifest-for.nix {
inherit cfg;
inherit (pkgs) writeTextFile;
};
withEnvironment = import ../with-environment.nix {
inherit cfg lib;
};
manifestForUsers = manifestFor "-for-users" secretsForUsers {
secretsMountPoint = "/run/secrets-for-users.d";
symlinkPath = "/run/secrets-for-users";
};
in
{
system.activationScripts = lib.mkIf (secretsForUsers != {}) {
setupSecretsForUsers = lib.mkIf (secretsForUsers != {}) (lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets for users...
${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
});
users = lib.mkIf (secretsForUsers != {}) {
deps = [ "setupSecretsForUsers" ];
};
};
assertions = [{
assertion = (lib.filterAttrs (_: v: v.owner != "root" || v.group != "root") secretsForUsers) == {};
message = "neededForUsers cannot be used for secrets that are not root-owned";
}];
system.build.sops-nix-users-manifest = manifestForUsers;
}