yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

vars: support secrets for partitioning the disk

Browse Source
This commit is contained in:
Michael Hoang
2024-12-22 15:46:41 +11:00
committed by clan-bot
parent 45cf6adc13
commit 7ee0e2afbf
13 changed files with 175 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nixosModules/clanCore/vars/interface.nix
View File

@@ -207,11 +207,14 @@ in
description = ''
This option determines when the secret will be decrypted and deployed to the target machine.
By setting this to `partitioning`, the secret will be deployed prior to running `disko` allowing
you to manage filesystem encryption keys. These will only be deployed when installing the system.
By setting this to `activation`, the secret will be deployed prior to running `nixos-rebuild` or `nixos-install`.
By setting this to `user`, the secret will be deployed prior to users and groups are created, allowing
users' passwords to be managed by vars. The secret will be stored in `/run/secrets-for-users` and `owner` and `group` must be `root`.
'';
type = lib.types.enum [
"partitioning"
"activation"
"users"
"services"

5
nixosModules/clanCore/vars/secret/password-store.nix
View File

@@ -42,6 +42,7 @@ let
useSystemdActivation =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
normalSecrets = lib.any (
gen: lib.any (file: file.neededFor == "services") (lib.attrValues gen.files)
) (lib.attrValues config.clan.core.vars.generators);
@@ -75,7 +76,9 @@ in
else if file.config.neededFor == "services" then
"/run/secrets/${file.config.generatorName}/${file.config.name}"
else if file.config.neededFor == "activation" then
"${config.clan.password-store.secretLocation}/${file.config.generatorName}/${file.config.name}"
"${config.clan.password-store.secretLocation}/activation/${file.config.generatorName}/${file.config.name}"
else if file.config.neededFor == "partitioning" then
"/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
else
throw "unknown neededFor ${file.config.neededFor}";

6
nixosModules/clanCore/vars/secret/sops/default.nix
View File

@@ -25,8 +25,10 @@ in
# Before we generate a secret we cannot know the path yet, so we need to set it to an empty string
fileModule = file: {
path = lib.mkIf file.config.secret (
if file.config.neededFor == "activation" then
"/var/lib/sops-nix/${file.config.generatorName}/${file.config.name}"
if file.config.neededFor == "partitioning" then
"/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
else if file.config.neededFor == "activation" then
"/var/lib/sops-nix/activation/${file.config.generatorName}/${file.config.name}"
else
config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path
or "/no-such-path"

4
nixosModules/clanCore/vars/secret/sops/funcs.nix
View File

@@ -17,7 +17,9 @@ in
let
relevantFiles =
generator:
filterAttrs (_name: f: f.secret && f.deploy && (f.neededFor != "activation")) generator.files;
filterAttrs (
_name: f: f.secret && f.deploy && (f.neededFor == "users" || f.neededFor == "services")
) generator.files;
allFiles = flatten (
mapAttrsToList (
gen_name: generator:

6
nixosModules/clanCore/vars/secret/vm.nix
View File

@@ -6,7 +6,11 @@
{
config.clan.core.vars.settings = lib.mkIf (config.clan.core.vars.settings.secretStore == "vm") {
fileModule = file: {
path = "/etc/secrets/${file.config.generatorName}/${file.config.name}";
path =
if file.config.neededFor == "partitioning" then
"/run/partitioning-secrets/${file.config.generatorName}/${file.config.name}"
else
"/etc/secrets/${file.config.generatorName}/${file.config.name}";
};
secretModule = "clan_cli.vars.secret_modules.vm";
};