Create a separate module for overriding sops passwords

2024-05-02 13:02:52 +02:00 · 2024-05-02 13:02:52 +02:00 · 1a57b9d49b
parent 354982cf37
commit 1a57b9d49b
2 changed files with 65 additions and 26 deletions
--- a/lib/modules/custom-build-vm.nix
+++ b/lib/modules/custom-build-vm.nix
@ -78,10 +78,16 @@ in {
    virtualisation =
      let
        extendVMConfig =
-          vmVariant: {
+          vmVariant: overrideSops: {
            # Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader`
            boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot";

+            # Override passwords backed by `sops-nix`
+            users.sopsPasswordOverride = lib.mkIf overrideSops {
+              enable = true;
+              password = "admin";
+            };
+
            virtualisation = {
              # Enable root permissions to get access to the `/etc/ssh` directory
              runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true;
@ -124,31 +130,7 @@ in {
        ;
      in {
        vmVariant = extendVMConfig vmVariant;
-        vmVariantWithBootLoader =
-          (extendVMConfig vmVariantWithBootLoader) //
-          # Overwrite users with `hashedPasswordFile`s as `sops-nix` does not seem to work with `build-vm-with-bootloader`
-          {
-            users.users = builtins.listToAttrs (
-              builtins.map (
-                name: {
-                  inherit name;
-
-                  value = {
-                    hashedPasswordFile = lib.mkVMOverride null;
-                    password = lib.mkVMOverride "test";
-                  };
-                })
-            (builtins.filter
-              (
-                name:
-                  let
-                    user = config.users.users.${name};
-                  in
-                    (
-                      (user.hashedPasswordFile != null)
-                    ))
-              (builtins.attrNames config.users.users)));
-          };
+        vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader;
      };

    system.build =
--- a/lib/modules/custom-sops-nix.nix
+++ b/lib/modules/custom-sops-nix.nix
@ -0,0 +1,57 @@
+{ config, lib, ... }: {
+  options =
+  let
+    vmVariantOptions = {
+      users.sopsPasswordOverride = {
+        enable = lib.mkEnableOption "sops password override" // {
+          default = false;
+        };
+
+        password = lib.mkOption {
+          type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
+          default = null;
+        };
+
+        hashedPassword = lib.mkOption {
+          type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
+          default = null;
+        };
+      };
+    };
+  in {
+    virtualisation = {
+      vmVariant = vmVariantOptions;
+      vmVariantWithBootLoader = vmVariantOptions;
+    };
+  };
+
+  config = {
+    users.users =
+      with { inherit (config.virtualisation.vmVariantWithBootLoader.users) sopsPasswordOverride; };
+      (lib.mkIf
+        sopsPasswordOverride.enable
+        (
+          builtins.listToAttrs (
+            builtins.map (
+              name: {
+                inherit name;
+
+                value = {
+                  hashedPasswordFile = lib.mkVMOverride null;
+                  hashedPassword = sopsPasswordOverride.hashedPassword;
+                  password = sopsPasswordOverride.password;
+                };
+              })
+            (builtins.filter
+              (
+                name:
+                  let
+                    user = config.users.users.${name};
+                  in
+                    (
+                      (user.hashedPasswordFile != null) &&
+                      (lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile)
+                    ))
+              (builtins.attrNames config.users.users)))));
+  };
+}