yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

vars password-store: add neededForUsers option

Browse Source
This commit is contained in:
lassulus
2024-12-03 22:28:39 +01:00
parent 9f5cd917de
commit e6eaa3cc03
5 changed files with 114 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
nixosModules/clanCore/vars/default.nix
View File

@@ -49,7 +49,12 @@ in
;
files = lib.flip lib.mapAttrs generator.files (
_name: file: {
inherit (file) name deploy secret;
inherit (file)
name
deploy
secret
neededForUsers
;
}
);
}

9
nixosModules/clanCore/vars/interface.nix
View File

@@ -196,6 +196,15 @@ in
'';
type = str;
};
neededForUsers = lib.mkOption {
description = ''
Enabling this option causes the secret to be decrypted/installed before users and groups are created.
This can be used to retrieve user's passwords.
Setting this option moves the secret to /run/secrets-for-users and disallows setting owner and group to anything else than root.
'';
type = bool;
default = false;
};
owner = lib.mkOption {
description = "The user name or id that will own the secret file.";
default = "root";

138
nixosModules/clanCore/vars/secret/password-store.nix
View File

@@ -17,26 +17,37 @@ let
set -efu -o pipefail
src=$1
mkdir -p /run/secrets.tmp /run/secrets
if mountpoint -q /run/secrets; then
mount -t tmpfs -o noswap -o private tmpfs /run/secrets.tmp
chmod 511 /run/secrets.tmp
mount --bind --make-private /run/secrets.tmp /run/secrets.tmp
mount --bind --make-private /run/secrets /run/secrets
tar -xf "$src" -C /run/secrets.tmp
move-mount --beneath --move /run/secrets.tmp /run/secrets >/dev/null
umount -R /run/secrets.tmp
rmdir /run/secrets.tmp
umount --lazy /run/secrets
target=$2
echo "installing secrets from $src to $target" >&2
mkdir -p "$target".tmp "$target"
if mountpoint -q "$target"; then
mount -t tmpfs -o noswap -o private tmpfs "$target".tmp
chmod 511 "$target".tmp
mount --bind --make-private "$target".tmp "$target".tmp
mount --bind --make-private "$target" "$target"
tar -xf "$src" -C "$target".tmp
move-mount --beneath --move "$target".tmp "$target" 2>/dev/null
umount -R "$target".tmp
rmdir "$target".tmp
umount --lazy "$target"
else
mount -t tmpfs -o noswap tmpfs /run/secrets
tar -xf "$src" -C /run/secrets
mount -t tmpfs -o noswap tmpfs "$target"
tar -xf "$src" -C "$target"
fi
'';
};
useSystemdActivation =
(options.systemd ? sysusers && config.systemd.sysusers.enable)
|| (options.services ? userborn && config.services.userborn.enable);
normalSecrets = lib.any (gen: lib.any (file: !file.neededForUsers) (lib.attrValues gen.files)) (
lib.attrValues config.clan.core.vars.generators
);
userSecrets = lib.any (gen: lib.any (file: file.neededForUsers) (lib.attrValues gen.files)) (
lib.attrValues config.clan.core.vars.generators
);
in
{
options.clan.vars.password-store = {
@@ -57,48 +68,75 @@ in
fileModule =
file:
lib.mkIf file.config.secret {
path = "/run/secrets/${file.config.generatorName}/${file.config.name}";
path =
if file.config.neededForUsers then
"/run/user-secrets/${file.config.generatorName}/${file.config.name}"
else
"/run/secrets/${file.config.generatorName}/${file.config.name}";
};
secretModule = "clan_cli.vars.secret_modules.password_store";
};
system.activationScripts.setupSecrets =
lib.mkIf
(
(config.clan.core.vars.settings.secretStore == "password-store")
&& (config.clan.core.vars.generators != { } && !useSystemdActivation)
)
(
lib.stringAfter
[
"specialfs"
"users"
"groups"
]
''
[ -e /run/current-system ] || echo setting up secrets...
${installSecretTarball}/bin/install-secret-tarball ${config.clan.vars.password-store.secretLocation}/secrets.tar.gz
''
// lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
}
);
systemd.services.pass-install-secrets =
lib.mkIf
(
(config.clan.core.vars.settings.secretStore == "password-store")
&& (config.clan.core.vars.generators != { } && useSystemdActivation)
)
system.activationScripts =
lib.mkIf ((config.clan.core.vars.settings.secretStore == "password-store") && !useSystemdActivation)
{
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = "no";
setupUserSecrets = lib.mkIf userSecrets (
lib.stringAfter
[
"specialfs"
]
''
[ -e /run/current-system ] || echo setting up secrets...
${installSecretTarball}/bin/install-secret-tarball ${config.clan.vars.password-store.secretLocation}/secrets_for_users.tar.gz /run/user-secrets
''
// lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
}
);
users.deps = lib.mkIf userSecrets [ "setupUserSecrets" ];
setupSecrets = lib.mkIf normalSecrets (
lib.stringAfter
[
"specialfs"
"users"
"groups"
]
''
[ -e /run/current-system ] || echo setting up secrets...
${installSecretTarball}/bin/install-secret-tarball ${config.clan.vars.password-store.secretLocation}/secrets.tar.gz /run/secrets
''
// lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
}
);
};
systemd.services =
lib.mkIf ((config.clan.core.vars.settings.secretStore == "password-store") && useSystemdActivation)
{
pass-install-user-secrets = lib.mkIf userSecrets {
wantedBy = [ "systemd-sysusers.service" ];
before = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = [
"${installSecretTarball}/bin/install-secret-tarball ${config.clan.vars.password-store.secretLocation}/secrets.tar.gz"
];
RemainAfterExit = true;
serviceConfig = {
Type = "oneshot";
ExecStart = [
"${installSecretTarball}/bin/install-secret-tarball ${config.clan.vars.password-store.secretLocation}/secrets_for_users.tar.gz /run/user-secrets"
];
RemainAfterExit = true;
};
};
pass-install-secrets = lib.mkIf normalSecrets {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = [
"${installSecretTarball}/bin/install-secret-tarball ${config.clan.vars.password-store.secretLocation}/secrets.tar.gz /run/secrets"
];
RemainAfterExit = true;
};
};
};
};