christoph/flake-nixinator
1
Fork 0
Code Activity

Modules/Sops: Allow setting secrets with "neededForUsers = true;"

Browse Source
This commit is contained in:
Christoph Urlacher
2025-07-09 18:41:03 +02:00
parent 507ac0f8bd
commit a499bbb814
2 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
system/modules/sops-nix/default.nix
View File

@ -14,7 +14,7 @@ in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
sops sops
age age
ssh-to-age # ssh-to-age
]; ];
environment.variables = { environment.variables = {
@ -32,11 +32,33 @@ in {
}; };
secrets = let secrets = let
mkSecret = name: {${name} = {};}; mkSecret = name: {
${name} = {
owner = config.users.users.${username}.name;
group = config.users.users.${username}.group;
};
};
mkBootSecret = name: {
${name} = {
# Make these secrets available before creating users.
# This means we can't set the owner or group.
neededForUsers = true;
};
};
in in
lib.mkMerge [
(
if (builtins.hasAttr "${username}" sops-nix.secrets) if (builtins.hasAttr "${username}" sops-nix.secrets)
then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username}) then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
else {}; else {}
)
(
if (builtins.hasAttr "${username}" sops-nix.bootSecrets)
then lib.mergeAttrsList (builtins.map mkBootSecret sops-nix.bootSecrets.${username})
else {}
)
];
}; };
}; };
} }

11
system/modules/sops-nix/options.nix
View File

@ -13,4 +13,15 @@
''; '';
default = []; default = [];
}; };
bootSecrets = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
description = "The secrets to expose on this host earlier in the boot process";
example = ''
christoph = [
"user-password"
];
'';
default = [];
};
} }