82 lines
2.2 KiB
Nix
82 lines
2.2 KiB
Nix
{ den, inputs, lib, ... }:
|
|
let
|
|
sopsReadersGroup = "sops-users";
|
|
in
|
|
{
|
|
den.ctx.host.includes = [
|
|
(den.lib.perHost (
|
|
{ host, ... }:
|
|
let
|
|
missingAdminUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sopsAdminKeyUsers;
|
|
adminKeyDir = if host.sopsAdminKeyPath == null then null else builtins.dirOf host.sopsAdminKeyPath;
|
|
in
|
|
{
|
|
nixos = {
|
|
imports = [ inputs.sops-nix.nixosModules.sops ];
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
age =
|
|
if host.sopsHostSshKeyPath != null then
|
|
{
|
|
sshKeyPaths = [ host.sopsHostSshKeyPath ];
|
|
}
|
|
else
|
|
{
|
|
keyFile = host.sopsAdminKeyPath;
|
|
};
|
|
};
|
|
|
|
users.groups = lib.optionalAttrs (host.sopsAdminKeyUsers != [ ]) {
|
|
${sopsReadersGroup} = { };
|
|
};
|
|
|
|
users.users = lib.genAttrs host.sopsAdminKeyUsers (_: {
|
|
extraGroups = [ sopsReadersGroup ];
|
|
});
|
|
|
|
systemd.tmpfiles.rules = lib.optionals (adminKeyDir != null) [
|
|
"d ${adminKeyDir} 0750 root ${sopsReadersGroup} -"
|
|
];
|
|
|
|
assertions = [
|
|
{
|
|
assertion = host.sopsAdminKeyUsers == [ ] || host.sopsAdminKeyPath != null;
|
|
message = "Hosts with sopsAdminKeyUsers must set sopsAdminKeyPath.";
|
|
}
|
|
{
|
|
assertion = missingAdminUsers == [ ];
|
|
message =
|
|
"All sopsAdminKeyUsers must exist on the host. Missing: "
|
|
+ lib.concatStringsSep ", " missingAdminUsers;
|
|
}
|
|
];
|
|
};
|
|
}
|
|
))
|
|
];
|
|
|
|
den.ctx.user.includes = [
|
|
(den.lib.perUser (
|
|
{ host, user, ... }:
|
|
if builtins.elem user.userName host.sopsAdminKeyUsers then
|
|
{
|
|
homeManager =
|
|
{ pkgs, ... }:
|
|
{
|
|
imports = [ inputs.sops-nix.homeManagerModules.sops ];
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
age.keyFile = host.sopsAdminKeyPath;
|
|
};
|
|
|
|
home.packages = [ pkgs.sops ];
|
|
};
|
|
}
|
|
else
|
|
{ }
|
|
))
|
|
];
|
|
}
|