manuth/NixOSConfig
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Create a separate module for overriding sops passwords

Browse source
This commit is contained in:
Manuel Thalmann 2024-05-02 13:02:52 +02:00
parent 354982cf37
commit 1a57b9d49b
2 changed files with 65 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
lib/modules/custom-build-vm.nix
View file

@ -78,10 +78,16 @@ in {
virtualisation = virtualisation =
let let
extendVMConfig = extendVMConfig =
vmVariant: { vmVariant: overrideSops: {
# Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader` # Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader`
boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot"; boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot";
# Override passwords backed by `sops-nix`
users.sopsPasswordOverride = lib.mkIf overrideSops {
enable = true;
password = "admin";
};
virtualisation = { virtualisation = {
# Enable root permissions to get access to the `/etc/ssh` directory # Enable root permissions to get access to the `/etc/ssh` directory
runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true; runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true;
@ -124,31 +130,7 @@ in {
; ;
in { in {
vmVariant = extendVMConfig vmVariant; vmVariant = extendVMConfig vmVariant;
vmVariantWithBootLoader = vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader;
(extendVMConfig vmVariantWithBootLoader) //
# Overwrite users with `hashedPasswordFile`s as `sops-nix` does not seem to work with `build-vm-with-bootloader`
{
users.users = builtins.listToAttrs (
builtins.map (
name: {
inherit name;
value = {
hashedPasswordFile = lib.mkVMOverride null;
password = lib.mkVMOverride "test";
};
})
(builtins.filter
(
name:
let
user = config.users.users.${name};
in
(
(user.hashedPasswordFile != null)
))
(builtins.attrNames config.users.users)));
};
}; };
system.build = system.build =

57
lib/modules/custom-sops-nix.nix Normal file
View file

@ -0,0 +1,57 @@
{ config, lib, ... }: {
options =
let
vmVariantOptions = {
users.sopsPasswordOverride = {
enable = lib.mkEnableOption "sops password override" // {
default = false;
};
password = lib.mkOption {
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
default = null;
};
hashedPassword = lib.mkOption {
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
default = null;
};
};
};
in {
virtualisation = {
vmVariant = vmVariantOptions;
vmVariantWithBootLoader = vmVariantOptions;
};
};
config = {
users.users =
with { inherit (config.virtualisation.vmVariantWithBootLoader.users) sopsPasswordOverride; };
(lib.mkIf
sopsPasswordOverride.enable
(
builtins.listToAttrs (
builtins.map (
name: {
inherit name;
value = {
hashedPasswordFile = lib.mkVMOverride null;
hashedPassword = sopsPasswordOverride.hashedPassword;
password = sopsPasswordOverride.password;
};
})
(builtins.filter
(
name:
let
user = config.users.users.${name};
in
(
(user.hashedPasswordFile != null) &&
(lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile)
))
(builtins.attrNames config.users.users)))));
};
}