password-store owner & group support

2024-11-14 23:42:15 +01:00
parent d9b1c59382
commit 8e1697a089
4 changed files with 143 additions and 35 deletions
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -68,14 +68,24 @@ in
                submodule (file: {
                  imports = [
                    config.settings.fileModule
-                    (lib.mkRenamedOptionModule [ "owner" ] [
-                      "sops"
-                      "owner"
-                    ])
-                    (lib.mkRenamedOptionModule [ "group" ] [
-                      "sops"
-                      "group"
-                    ])
+                    (lib.mkRenamedOptionModule
+                      [
+                        "sops"
+                        "owner"
+                      ]
+                      [
+                        "owner"
+                      ]
+                    )
+                    (lib.mkRenamedOptionModule
+                      [
+                        "sops"
+                        "group"
+                      ]
+                      [
+                        "group"
+                      ]
+                    )
                  ];
                  options = {
                    name = lib.mkOption {
@@ -129,15 +139,13 @@ in
                      type = str;
                    };

-                    sops = {
-                      owner = lib.mkOption {
-                        description = "The user name or id that will own the secret file. This option is currently only implemented for sops";
-                        default = "root";
-                      };
-                      group = lib.mkOption {
-                        description = "The group name or id that will own the secret file. This option is currently only implemented for sops";
-                        default = "root";
-                      };
+                    owner = lib.mkOption {
+                      description = "The user name or id that will own the secret file.";
+                      default = "root";
+                    };
+                    group = lib.mkOption {
+                      description = "The group name or id that will own the secret file.";
+                      default = "root";
                    };

                    value =
--- a/nixosModules/clanCore/vars/secret/password-store.nix
+++ b/nixosModules/clanCore/vars/secret/password-store.nix
@@ -1,12 +1,94 @@
-{ config, lib, ... }:
 {
-  config.clan.core.vars.settings =
-    lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
-      {
-        fileModule = file: {
-          path = lib.mkIf file.config.secret "${config.clan.core.vars.settings.secretUploadDirectory}/vars/${file.config.generatorName}/${file.config.name}";
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  installSecretTarball = pkgs.writeShellApplication {
+    name = "install-secret-tarball";
+    runtimeInputs = [
+      pkgs.gnutar
+      pkgs.gzip
+      pkgs.move-mount-beneath
+    ];
+    text = ''
+      set -efu -o pipefail
+
+      src=$1
+      mkdir -p /run/secrets.tmp /run/secrets
+      if mountpoint -q /run/secrets; then
+        mount -t tmpfs -o noswap -o private tmpfs /run/secrets.tmp
+        chmod 511 /run/secrets.tmp
+        mount --bind --make-private /run/secrets.tmp /run/secrets.tmp
+        mount --bind --make-private /run/secrets /run/secrets
+        tar -xf "$src" -C /run/secrets.tmp
+        move-mount --beneath --move /run/secrets.tmp /run/secrets
+        umount -R /run/secrets.tmp
+        rmdir /run/secrets.tmp
+        umount --lazy /run/secrets
+      else
+        mount -t tmpfs -o noswap tmpfs /run/secrets
+        tar -xf "$src" -C /run/secrets
+      fi
+    '';
+  };
+  useSystemdActivation =
+    (options.systemd ? sysusers && config.systemd.sysusers.enable)
+    || (options.services ? userborn && config.services.userborn.enable);
+in
+{
+  config = {
+    clan.core.vars.settings =
+      lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
+        {
+          fileModule = file: {
+            path = "/run/secrets/vars/${file.config.generatorName}/${file.config.name}";
+          };
+          secretUploadDirectory = lib.mkDefault "/etc/secrets";
+          secretModule = "clan_cli.vars.secret_modules.password_store";
        };
-        secretUploadDirectory = lib.mkDefault "/etc/secrets";
-        secretModule = "clan_cli.vars.secret_modules.password_store";
-      };
+    system.activationScripts.setupSecrets =
+      lib.mkIf
+        (
+          (config.clan.core.vars.settings.secretStore == "password-store")
+          && (config.clan.core.vars.generators != { } && !useSystemdActivation)
+        )
+        (
+          lib.stringAfter
+            [
+              "specialfs"
+              "users"
+              "groups"
+            ]
+            ''
+              [ -e /run/current-system ] || echo setting up secrets...
+              ${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz
+            ''
+          // lib.optionalAttrs (config.system ? dryActivationScript) {
+            supportsDryActivation = true;
+          }
+        );
+    systemd.services.sops-install-secrets =
+      lib.mkIf
+        (
+          (config.clan.core.vars.settings.secretStore == "password-store")
+          && (config.clan.core.vars.generators != { } && useSystemdActivation)
+        )
+        {
+          wantedBy = [ "sysinit.target" ];
+          after = [ "systemd-sysusers.service" ];
+          unitConfig.DefaultDependencies = "no";
+
+          serviceConfig = {
+            Type = "oneshot";
+            ExecStart = [
+              "${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz"
+            ];
+            RemainAfterExit = true;
+          };
+        };
+  };
+
 }