kiri/lux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2be33911a431ebb6c9b4e930b05564b299e2a6ba
lux/modules/secrets/sops.nix

86 lines
2.5 KiB
Nix
Raw Blame History

{ den, inputs, lib, ... }:
let
sopsReadersGroup = "sops-users";
in
{
den.ctx.host.includes = [
(den.lib.perHost (
{ host, ... }:
let
missingAdminUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sopsAdminKeyUsers;
hasSharedAdminKey = host.sopsAdminKeyPath != null && host.sopsAdminKeyUsers != [ ];
adminKeyDir = if host.sopsAdminKeyPath == null then null else builtins.dirOf host.sopsAdminKeyPath;
in
{
nixos = {
imports = [ inputs.sops-nix.nixosModules.sops ];
sops = {
defaultSopsFile = ./secrets.yaml;
age =
if host.sopsHostSshKeyPath != null then
{
sshKeyPaths = [ host.sopsHostSshKeyPath ];
}
else
{
keyFile = host.sopsAdminKeyPath;
};
};
users.groups = lib.optionalAttrs hasSharedAdminKey {
${sopsReadersGroup} = { };
};
users.users = lib.genAttrs host.sopsAdminKeyUsers (_: {
extraGroups = [ sopsReadersGroup ];
});
systemd.tmpfiles.rules = lib.optionals hasSharedAdminKey [
"d ${adminKeyDir} 0750 root ${sopsReadersGroup} -"
"z ${host.sopsAdminKeyPath} 0640 root ${sopsReadersGroup} -"
];
assertions = [
{
assertion = host.sopsAdminKeyUsers == [ ] || host.sopsAdminKeyPath != null;
message = "Hosts with sopsAdminKeyUsers must set sopsAdminKeyPath.";
}
{
assertion = missingAdminUsers == [ ];
message =
"All sopsAdminKeyUsers must exist on the host. Missing: "
+ lib.concatStringsSep ", " missingAdminUsers;
}
];
};
}
))
];
den.ctx.user.includes = [
(den.lib.perUser (
{ host, user, ... }:
if builtins.elem user.userName host.sopsAdminKeyUsers then
{
homeManager =
{ pkgs, ... }:
{
imports = [ inputs.sops-nix.homeManagerModules.sops ];
sops = {
defaultSopsFile = ./secrets.yaml;
age.keyFile = host.sopsAdminKeyPath;
};
home.sessionVariables.SOPS_AGE_KEY_FILE = host.sopsAdminKeyPath;
home.packages = [ pkgs.sops ];
};
}
else
{ }
))
];
}
Reference in New Issue View Git Blame Copy Permalink