Create a separate module for overriding sops passwords
This commit is contained in:
parent
354982cf37
commit
1a57b9d49b
2 changed files with 65 additions and 26 deletions
|
@ -78,10 +78,16 @@ in {
|
||||||
virtualisation =
|
virtualisation =
|
||||||
let
|
let
|
||||||
extendVMConfig =
|
extendVMConfig =
|
||||||
vmVariant: {
|
vmVariant: overrideSops: {
|
||||||
# Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader`
|
# Prevent GRUB2 errors in `nixos-rebuild build-vm-with-bootloader`
|
||||||
boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot";
|
boot.loader.efi.efiSysMountPoint = lib.mkVMOverride "/boot";
|
||||||
|
|
||||||
|
# Override passwords backed by `sops-nix`
|
||||||
|
users.sopsPasswordOverride = lib.mkIf overrideSops {
|
||||||
|
enable = true;
|
||||||
|
password = "admin";
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
# Enable root permissions to get access to the `/etc/ssh` directory
|
# Enable root permissions to get access to the `/etc/ssh` directory
|
||||||
runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true;
|
runAsRoot = lib.mkIf vmVariant.virtualisation.sharedHostKeys true;
|
||||||
|
@ -124,31 +130,7 @@ in {
|
||||||
;
|
;
|
||||||
in {
|
in {
|
||||||
vmVariant = extendVMConfig vmVariant;
|
vmVariant = extendVMConfig vmVariant;
|
||||||
vmVariantWithBootLoader =
|
vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader;
|
||||||
(extendVMConfig vmVariantWithBootLoader) //
|
|
||||||
# Overwrite users with `hashedPasswordFile`s as `sops-nix` does not seem to work with `build-vm-with-bootloader`
|
|
||||||
{
|
|
||||||
users.users = builtins.listToAttrs (
|
|
||||||
builtins.map (
|
|
||||||
name: {
|
|
||||||
inherit name;
|
|
||||||
|
|
||||||
value = {
|
|
||||||
hashedPasswordFile = lib.mkVMOverride null;
|
|
||||||
password = lib.mkVMOverride "test";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
(builtins.filter
|
|
||||||
(
|
|
||||||
name:
|
|
||||||
let
|
|
||||||
user = config.users.users.${name};
|
|
||||||
in
|
|
||||||
(
|
|
||||||
(user.hashedPasswordFile != null)
|
|
||||||
))
|
|
||||||
(builtins.attrNames config.users.users)));
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
system.build =
|
system.build =
|
||||||
|
|
57
lib/modules/custom-sops-nix.nix
Normal file
57
lib/modules/custom-sops-nix.nix
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
{ config, lib, ... }: {
|
||||||
|
options =
|
||||||
|
let
|
||||||
|
vmVariantOptions = {
|
||||||
|
users.sopsPasswordOverride = {
|
||||||
|
enable = lib.mkEnableOption "sops password override" // {
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
password = lib.mkOption {
|
||||||
|
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
|
||||||
|
hashedPassword = lib.mkOption {
|
||||||
|
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
virtualisation = {
|
||||||
|
vmVariant = vmVariantOptions;
|
||||||
|
vmVariantWithBootLoader = vmVariantOptions;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
users.users =
|
||||||
|
with { inherit (config.virtualisation.vmVariantWithBootLoader.users) sopsPasswordOverride; };
|
||||||
|
(lib.mkIf
|
||||||
|
sopsPasswordOverride.enable
|
||||||
|
(
|
||||||
|
builtins.listToAttrs (
|
||||||
|
builtins.map (
|
||||||
|
name: {
|
||||||
|
inherit name;
|
||||||
|
|
||||||
|
value = {
|
||||||
|
hashedPasswordFile = lib.mkVMOverride null;
|
||||||
|
hashedPassword = sopsPasswordOverride.hashedPassword;
|
||||||
|
password = sopsPasswordOverride.password;
|
||||||
|
};
|
||||||
|
})
|
||||||
|
(builtins.filter
|
||||||
|
(
|
||||||
|
name:
|
||||||
|
let
|
||||||
|
user = config.users.users.${name};
|
||||||
|
in
|
||||||
|
(
|
||||||
|
(user.hashedPasswordFile != null) &&
|
||||||
|
(lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile)
|
||||||
|
))
|
||||||
|
(builtins.attrNames config.users.users)))));
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue