vars: allow setting files as needed for activation
This commit is contained in:
lassulus
@@ -55,7 +55,7 @@ in
|
||||
mode
|
||||
deploy
|
||||
secret
|
||||
neededForUsers
|
||||
neededFor
|
||||
;
|
||||
}
|
||||
);
|
||||
|
||||
@@ -196,14 +196,18 @@ in
|
||||
'';
|
||||
type = str;
|
||||
};
|
||||
neededForUsers = lib.mkOption {
|
||||
neededFor = lib.mkOption {
|
||||
description = ''
|
||||
Enabling this option causes the secret to be decrypted/installed before users and groups are created.
|
||||
This can be used to retrieve user's passwords.
|
||||
Setting this option moves the secret to /run/secrets-for-users and disallows setting owner and group to anything else than root.
|
||||
'';
|
||||
type = bool;
|
||||
default = false;
|
||||
type = lib.types.enum [
|
||||
"activation"
|
||||
"users"
|
||||
"services"
|
||||
];
|
||||
default = "services";
|
||||
};
|
||||
owner = lib.mkOption {
|
||||
description = "The user name or id that will own the file.";
|
||||
|
||||
@@ -69,10 +69,15 @@ in
|
||||
file:
|
||||
lib.mkIf file.config.secret {
|
||||
path =
|
||||
if file.config.neededForUsers then
|
||||
if file.config.neededFor == "users" then
|
||||
"/run/user-secrets/${file.config.generatorName}/${file.config.name}"
|
||||
else if file.config.neededFor == "services" then
|
||||
"/run/secrets/${file.config.generatorName}/${file.config.name}"
|
||||
else if file.config.neededFor == "activation" then
|
||||
"${config.clan.password-store.secretLocation}/${file.config.generatorName}/${file.config.name}"
|
||||
else
|
||||
"/run/secrets/${file.config.generatorName}/${file.config.name}";
|
||||
throw "unknown neededFor ${file.config.neededFor}";
|
||||
|
||||
};
|
||||
secretModule = "clan_cli.vars.secret_modules.password_store";
|
||||
};
|
||||
|
||||
@@ -27,8 +27,11 @@ in
|
||||
# Before we generate a secret we cannot know the path yet, so we need to set it to an empty string
|
||||
fileModule = file: {
|
||||
path = lib.mkIf file.config.secret (
|
||||
config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path
|
||||
or "/no-such-path"
|
||||
if file.config.neededFor == "activation" then
|
||||
"/var/lib/sops-nix/${file.config.generatorName}/${file.config.name}"
|
||||
else
|
||||
config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path
|
||||
or "/no-such-path"
|
||||
);
|
||||
};
|
||||
secretModule = "clan_cli.vars.secret_modules.sops";
|
||||
|
||||
@@ -16,7 +16,9 @@ in
|
||||
collectFiles =
|
||||
vars:
|
||||
let
|
||||
relevantFiles = generator: flip filterAttrs generator.files (_name: f: f.secret && f.deploy);
|
||||
relevantFiles =
|
||||
generator:
|
||||
flip filterAttrs generator.files (_name: f: f.secret && f.deploy && (f.neededFor != "activation"));
|
||||
allFiles = flatten (
|
||||
flip mapAttrsToList vars.generators (
|
||||
gen_name: generator:
|
||||
@@ -24,8 +26,9 @@ in
|
||||
fname: file: {
|
||||
name = fname;
|
||||
generator = gen_name;
|
||||
neededForUsers = file.neededFor == "users";
|
||||
inherit (generator) share;
|
||||
inherit (file) owner group neededForUsers;
|
||||
inherit (file) owner group;
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user