impermanence: split out sops setup
This commit is contained in:
parent
5a273213f6
commit
08dfc80c98
|
@ -10,5 +10,6 @@
|
||||||
./impermanence
|
./impermanence
|
||||||
./nixcache.nix
|
./nixcache.nix
|
||||||
./services
|
./services
|
||||||
|
./sops.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,8 +7,6 @@
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.sane.impermanence;
|
cfg = config.sane.impermanence;
|
||||||
# taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
|
|
||||||
secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
|
|
||||||
getStore = { encryptedClearOnBoot, ... }: (
|
getStore = { encryptedClearOnBoot, ... }: (
|
||||||
if encryptedClearOnBoot then {
|
if encryptedClearOnBoot then {
|
||||||
device = "/mnt/impermanence/crypt/clearedonboot";
|
device = "/mnt/impermanence/crypt/clearedonboot";
|
||||||
|
@ -300,27 +298,6 @@ in
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
(lib.mkIf secrets-for-users {
|
|
||||||
# secret decoding depends on /etc/ssh keys, so make sure those are present.
|
|
||||||
system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
|
|
||||||
deps = [ "etc" ];
|
|
||||||
};
|
|
||||||
system.activationScripts.etc.deps = lib.mkForce [];
|
|
||||||
assertions = builtins.concatLists (builtins.attrValues (
|
|
||||||
builtins.mapAttrs
|
|
||||||
(path: value: [
|
|
||||||
{
|
|
||||||
assertion = (builtins.substring 0 1 value.user) == "+";
|
|
||||||
message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = (builtins.substring 0 1 value.group) == "+";
|
|
||||||
message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
|
|
||||||
}
|
|
||||||
])
|
|
||||||
config.environment.etc
|
|
||||||
));
|
|
||||||
})
|
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
# taken from sops-nix code: checks if any secrets are needed to create /etc/shadow
|
||||||
|
secrets-for-users = (lib.filterAttrs (_: v: v.neededForUsers) config.sops.secrets) != {};
|
||||||
|
sops-files = config.sops.age.sshKeyPaths ++ config.sops.gnupg.sshKeyPaths ++ [ config.sops.age.keyFile ];
|
||||||
|
keys-in-etc = builtins.any (p: builtins.substring 0 5 p == "/etc/") sops-files;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = lib.mkIf (secrets-for-users && keys-in-etc) {
|
||||||
|
# secret decoding depends on keys in /etc/ (like the ssh host key), so make sure those are present.
|
||||||
|
system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
|
||||||
|
deps = [ "etc" ];
|
||||||
|
};
|
||||||
|
# TODO: we should selectively remove "users" and "groups", but keep manually specified deps?
|
||||||
|
system.activationScripts.etc.deps = lib.mkForce [];
|
||||||
|
assertions = builtins.concatLists (builtins.attrValues (
|
||||||
|
builtins.mapAttrs
|
||||||
|
(path: value: [
|
||||||
|
{
|
||||||
|
assertion = (builtins.substring 0 1 value.user) == "+";
|
||||||
|
message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion = (builtins.substring 0 1 value.group) == "+";
|
||||||
|
message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
|
||||||
|
}
|
||||||
|
])
|
||||||
|
config.environment.etc
|
||||||
|
));
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue