81 lines
No EOL
2.8 KiB
Nix
81 lines
No EOL
2.8 KiB
Nix
{ config, lib, ... }: {
|
|
options =
|
|
let
|
|
vmVariantOptions = {
|
|
users.sopsPasswordOverride = {
|
|
enable = lib.mkEnableOption "sops password override" // {
|
|
default = false;
|
|
description = "Enable overwriting `sops-nix` passwords with default password.";
|
|
};
|
|
|
|
password = lib.mkOption {
|
|
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
|
|
description = "The password to set for users which are supposed to use `sops-nix`.";
|
|
default = null;
|
|
};
|
|
|
|
hashedPassword = lib.mkOption {
|
|
type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
|
|
description = "The hashed password to set for users which are supposed to use `sops-nix`.";
|
|
default = null;
|
|
};
|
|
};
|
|
};
|
|
in {
|
|
virtualisation = {
|
|
vmVariant = vmVariantOptions;
|
|
vmVariantWithBootLoader = vmVariantOptions;
|
|
};
|
|
};
|
|
|
|
config = {
|
|
virtualisation =
|
|
let
|
|
extendVMConfig =
|
|
vmVariant: overrideSops: {
|
|
# Override passwords backed by `sops-nix` as `nixos-rebuild build-vm-with-bootloader`
|
|
# does not seem to play along well with `sops-nix`
|
|
users.sopsPasswordOverride = lib.mkIf overrideSops {
|
|
enable = lib.mkDefault overrideSops;
|
|
password = lib.mkDefault "admin";
|
|
};
|
|
|
|
users.users =
|
|
with { inherit (vmVariant.users) sopsPasswordOverride; };
|
|
(lib.mkIf
|
|
sopsPasswordOverride.enable
|
|
(
|
|
builtins.listToAttrs (
|
|
builtins.map (
|
|
name: {
|
|
inherit name;
|
|
|
|
value = {
|
|
hashedPasswordFile = lib.mkVMOverride null;
|
|
hashedPassword = lib.mkVMOverride sopsPasswordOverride.hashedPassword;
|
|
password = lib.mkVMOverride sopsPasswordOverride.password;
|
|
};
|
|
})
|
|
(builtins.filter
|
|
(
|
|
name:
|
|
let
|
|
user = config.users.users.${name};
|
|
in
|
|
(
|
|
(user.hashedPasswordFile != null) &&
|
|
(lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile)
|
|
))
|
|
(builtins.attrNames config.users.users)))));
|
|
};
|
|
|
|
inherit (config.virtualisation)
|
|
vmVariant
|
|
vmVariantWithBootLoader
|
|
;
|
|
in {
|
|
vmVariant = extendVMConfig vmVariant false;
|
|
vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader true;
|
|
};
|
|
};
|
|
} |