From 1a57b9d49bca3e849167eb84bab9ae248391639e Mon Sep 17 00:00:00 2001 From: Manuel Thalmann Date: Thu, 2 May 2024 13:02:52 +0200 Subject: [PATCH] Create a separate module for overriding sops passwords --- lib/modules/custom-build-vm.nix | 34 +++++--------------- lib/modules/custom-sops-nix.nix | 57 +++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 26 deletions(-) create mode 100644 lib/modules/custom-sops-nix.nix diff --git a/lib/modules/custom-build-vm.nix b/lib/modules/custom-build-vm.nix index 12f2e16..47f4fe9 100644 --- a/lib/modules/custom-build-vm.nix +++ b/lib/modules/custom-build-vm.nix @@ -78,10 +78,16 @@ in { virtualisation = let extendVMConfig = - vmVariant: { + vmVariant: overrideSops: { # Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader` boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot"; + # Override passwords backed by `sops-nix` + users.sopsPasswordOverride = lib.mkIf overrideSops { + enable = true; + password = "admin"; + }; + virtualisation = { # Enable root permissions to get access to the `/etc/ssh` directory runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true; @@ -124,31 +130,7 @@ in { ; in { vmVariant = extendVMConfig vmVariant; - vmVariantWithBootLoader = - (extendVMConfig vmVariantWithBootLoader) // - # Overwrite users with `hashedPasswordFile`s as `sops-nix` does not seem to work with `build-vm-with-bootloader` - { - users.users = builtins.listToAttrs ( - builtins.map ( - name: { - inherit name; - - value = { - hashedPasswordFile = lib.mkVMOverride null; - password = lib.mkVMOverride "test"; - }; - }) - (builtins.filter - ( - name: - let - user = config.users.users.${name}; - in - ( - (user.hashedPasswordFile != null) - )) - (builtins.attrNames config.users.users))); - }; + vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader; }; system.build = diff --git a/lib/modules/custom-sops-nix.nix b/lib/modules/custom-sops-nix.nix new file mode 100644 index 0000000..80faa36 --- /dev/null +++ b/lib/modules/custom-sops-nix.nix @@ -0,0 +1,57 @@ +{ config, lib, ... }: { + options = + let + vmVariantOptions = { + users.sopsPasswordOverride = { + enable = lib.mkEnableOption "sops password override" // { + default = false; + }; + + password = lib.mkOption { + type = lib.types.nullOr (lib.types.passwdEntry lib.types.str); + default = null; + }; + + hashedPassword = lib.mkOption { + type = lib.types.nullOr (lib.types.passwdEntry lib.types.str); + default = null; + }; + }; + }; + in { + virtualisation = { + vmVariant = vmVariantOptions; + vmVariantWithBootLoader = vmVariantOptions; + }; + }; + + config = { + users.users = + with { inherit (config.virtualisation.vmVariantWithBootLoader.users) sopsPasswordOverride; }; + (lib.mkIf + sopsPasswordOverride.enable + ( + builtins.listToAttrs ( + builtins.map ( + name: { + inherit name; + + value = { + hashedPasswordFile = lib.mkVMOverride null; + hashedPassword = sopsPasswordOverride.hashedPassword; + password = sopsPasswordOverride.password; + }; + }) + (builtins.filter + ( + name: + let + user = config.users.users.${name}; + in + ( + (user.hashedPasswordFile != null) && + (lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile) + )) + (builtins.attrNames config.users.users))))); + }; +} \ No newline at end of file