Create a separate module for overriding sops passwords
This commit is contained in:
parent
354982cf37
commit
1a57b9d49b
2 changed files with 65 additions and 26 deletions
|
@ -78,10 +78,16 @@ in {
|
|||
virtualisation =
|
||||
let
|
||||
extendVMConfig =
|
||||
vmVariant: {
|
||||
vmVariant: overrideSops: {
|
||||
# Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader`
|
||||
boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot";
|
||||
|
||||
# Override passwords backed by `sops-nix`
|
||||
users.sopsPasswordOverride = lib.mkIf overrideSops {
|
||||
enable = true;
|
||||
password = "admin";
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
# Enable root permissions to get access to the `/etc/ssh` directory
|
||||
runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true;
|
||||
|
@ -124,31 +130,7 @@ in {
|
|||
;
|
||||
in {
|
||||
vmVariant = extendVMConfig vmVariant;
|
||||
vmVariantWithBootLoader =
|
||||
(extendVMConfig vmVariantWithBootLoader) //
|
||||
# Overwrite users with `hashedPasswordFile`s as `sops-nix` does not seem to work with `build-vm-with-bootloader`
|
||||
{
|
||||
users.users = builtins.listToAttrs (
|
||||
builtins.map (
|
||||
name: {
|
||||
inherit name;
|
||||
|
||||
value = {
|
||||
hashedPasswordFile = lib.mkVMOverride null;
|
||||
password = lib.mkVMOverride "test";
|
||||
};
|
||||
})
|
||||
(builtins.filter
|
||||
(
|
||||
name:
|
||||
let
|
||||
user = config.users.users.${name};
|
||||
in
|
||||
(
|
||||
(user.hashedPasswordFile != null)
|
||||
))
|
||||
(builtins.attrNames config.users.users)));
|
||||
};
|
||||
vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader;
|
||||
};
|
||||
|
||||
system.build =
|
||||
|
|
57
lib/modules/custom-sops-nix.nix
Normal file
57
lib/modules/custom-sops-nix.nix
Normal file
|
@ -0,0 +1,57 @@
|
|||
{ config, lib, ... }: {
|
||||
options =
|
||||
let
|
||||
vmVariantOptions = {
|
||||
users.sopsPasswordOverride = {
|
||||
enable = lib.mkEnableOption "sops password override" // {
|
||||
default = false;
|
||||
};
|
||||
|
||||
password = lib.mkOption {
|
||||
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
|
||||
default = null;
|
||||
};
|
||||
|
||||
hashedPassword = lib.mkOption {
|
||||
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
};
|
||||
in {
|
||||
virtualisation = {
|
||||
vmVariant = vmVariantOptions;
|
||||
vmVariantWithBootLoader = vmVariantOptions;
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
users.users =
|
||||
with { inherit (config.virtualisation.vmVariantWithBootLoader.users) sopsPasswordOverride; };
|
||||
(lib.mkIf
|
||||
sopsPasswordOverride.enable
|
||||
(
|
||||
builtins.listToAttrs (
|
||||
builtins.map (
|
||||
name: {
|
||||
inherit name;
|
||||
|
||||
value = {
|
||||
hashedPasswordFile = lib.mkVMOverride null;
|
||||
hashedPassword = sopsPasswordOverride.hashedPassword;
|
||||
password = sopsPasswordOverride.password;
|
||||
};
|
||||
})
|
||||
(builtins.filter
|
||||
(
|
||||
name:
|
||||
let
|
||||
user = config.users.users.${name};
|
||||
in
|
||||
(
|
||||
(user.hashedPasswordFile != null) &&
|
||||
(lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile)
|
||||
))
|
||||
(builtins.attrNames config.users.users)))));
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue