impermanence: split out sops setup

This commit is contained in:
colin 2022-12-30 04:30:41 +00:00
parent 5a273213f6
commit 08dfc80c98
3 changed files with 33 additions and 23 deletions

View File

@ -10,5 +10,6 @@
./impermanence
./nixcache.nix
./services
./sops.nix
];
}

View File

@ -7,8 +7,6 @@
with lib;
let
cfg = config.sane.impermanence;
# taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
getStore = { encryptedClearOnBoot, ... }: (
if encryptedClearOnBoot then {
device = "/mnt/impermanence/crypt/clearedonboot";
@ -300,27 +298,6 @@ in
}
)
(lib.mkIf secrets-for-users {
# secret decoding depends on /etc/ssh keys, so make sure those are present.
system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
deps = [ "etc" ];
};
system.activationScripts.etc.deps = lib.mkForce [];
assertions = builtins.concatLists (builtins.attrValues (
builtins.mapAttrs
(path: value: [
{
assertion = (builtins.substring 0 1 value.user) == "+";
message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
}
{
assertion = (builtins.substring 0 1 value.group) == "+";
message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
}
])
config.environment.etc
));
})
]);
}

32
modules/sops.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, ... }:
let
# taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
sops-files = config.sops.age.sshKeyPaths ++ config.sops.gnupg.sshKeyPaths ++ [ config.sops.age.keyFile ];
keys-in-etc = builtins.any (p: builtins.substring 0 5 p == "/etc/") sops-files;
in
{
config = lib.mkIf (secrets-for-users && keys-in-etc) {
# secret decoding depends on keys in /etc/ (like the ssh host key), so make sure those are present.
system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
deps = [ "etc" ];
};
# TODO: we should selectively remove "users" and "groups", but keep manually specified deps?
system.activationScripts.etc.deps = lib.mkForce [];
assertions = builtins.concatLists (builtins.attrValues (
builtins.mapAttrs
(path: value: [
{
assertion = (builtins.substring 0 1 value.user) == "+";
message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
}
{
assertion = (builtins.substring 0 1 value.group) == "+";
message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
}
])
config.environment.etc
));
};
}