Modules/Sops: Allow setting secrets with "neededForUsers = true;"

2025-07-09 18:41:03 +02:00
parent 507ac0f8bd
commit a499bbb814
2 changed files with 38 additions and 5 deletions
--- a/system/modules/sops-nix/default.nix
+++ b/system/modules/sops-nix/default.nix
@ -14,7 +14,7 @@ in {
    environment.systemPackages = with pkgs; [
      sops
      age
-      ssh-to-age
+      # ssh-to-age
    ];

    environment.variables = {
@ -32,11 +32,33 @@ in {
      };

      secrets = let
-        mkSecret = name: {${name} = {};};
+        mkSecret = name: {
+          ${name} = {
+            owner = config.users.users.${username}.name;
+            group = config.users.users.${username}.group;
+          };
+        };
+
+        mkBootSecret = name: {
+          ${name} = {
+            # Make these secrets available before creating users.
+            # This means we can't set the owner or group.
+            neededForUsers = true;
+          };
+        };
      in
-        if (builtins.hasAttr "${username}" sops-nix.secrets)
-        then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
-        else {};
+        lib.mkMerge [
+          (
+            if (builtins.hasAttr "${username}" sops-nix.secrets)
+            then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
+            else {}
+          )
+          (
+            if (builtins.hasAttr "${username}" sops-nix.bootSecrets)
+            then lib.mergeAttrsList (builtins.map mkBootSecret sops-nix.bootSecrets.${username})
+            else {}
+          )
+        ];
    };
  };
 }