vars: support secrets for partitioning the disk

2024-12-22 15:46:41 +11:00
parent 8acb15612d
commit 0ec38c7919
13 changed files with 175 additions and 78 deletions
--- a/nixosModules/clanCore/vars/secret/password-store.nix
+++ b/nixosModules/clanCore/vars/secret/password-store.nix
@@ -42,6 +42,7 @@ let
  useSystemdActivation =
    (options.systemd ? sysusers && config.systemd.sysusers.enable)
    || (options.services ? userborn && config.services.userborn.enable);
+
  normalSecrets = lib.any (
    gen: lib.any (file: file.neededFor == "services") (lib.attrValues gen.files)
  ) (lib.attrValues config.clan.core.vars.generators);
@@ -75,7 +76,9 @@ in
                else if file.config.neededFor == "services" then
                  "/run/secrets/${file.config.generatorName}/${file.config.name}"
                else if file.config.neededFor == "activation" then
-                  "${config.clan.password-store.secretLocation}/${file.config.generatorName}/${file.config.name}"
+                  "${config.clan.password-store.secretLocation}/activation/${file.config.generatorName}/${file.config.name}"
+                else if file.config.neededFor == "partitioning" then
+                  "/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
                else
                  throw "unknown neededFor ${file.config.neededFor}";

--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -25,8 +25,10 @@ in
    # Before we generate a secret we cannot know the path yet, so we need to set it to an empty string
    fileModule = file: {
      path = lib.mkIf file.config.secret (
-        if file.config.neededFor == "activation" then
-          "/var/lib/sops-nix/${file.config.generatorName}/${file.config.name}"
+        if file.config.neededFor == "partitioning" then
+          "/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
+        else if file.config.neededFor == "activation" then
+          "/var/lib/sops-nix/activation/${file.config.generatorName}/${file.config.name}"
        else
          config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path
            or "/no-such-path"
--- a/nixosModules/clanCore/vars/secret/sops/funcs.nix
+++ b/nixosModules/clanCore/vars/secret/sops/funcs.nix
@@ -17,7 +17,9 @@ in
    let
      relevantFiles =
        generator:
-        filterAttrs (_name: f: f.secret && f.deploy && (f.neededFor != "activation")) generator.files;
+        filterAttrs (
+          _name: f: f.secret && f.deploy && (f.neededFor == "users" || f.neededFor == "services")
+        ) generator.files;
      allFiles = flatten (
        mapAttrsToList (
          gen_name: generator:
--- a/nixosModules/clanCore/vars/secret/vm.nix
+++ b/nixosModules/clanCore/vars/secret/vm.nix
@@ -6,7 +6,11 @@
 {
  config.clan.core.vars.settings = lib.mkIf (config.clan.core.vars.settings.secretStore == "vm") {
    fileModule = file: {
-      path = "/etc/secrets/${file.config.generatorName}/${file.config.name}";
+      path =
+        if file.config.neededFor == "partitioning" then
+          "/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
+        else
+          "/etc/secrets/${file.config.generatorName}/${file.config.name}";
    };
    secretModule = "clan_cli.vars.secret_modules.vm";
  };