mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-22 07:38:31 +03:00
feature: use uid 0 and gid 0 as default owner and group (consider them root)
This assumes that the root user is always uid 0 and gid 0, which I believe is a safe assumption. The reason to add this is because when a declarative VM (for example, a NixOS test) or image boots the first time, the installRootOwnedSecrets activation script runs BEFORE the "users" and "groups" activation scripts, so the user and group for root is not created. Using uid 0 and gid 0 gets around the root user not being set up yet.
This commit is contained in:
parent
ecee2c76b9
commit
6aec6889ba
1 changed files with 7 additions and 4 deletions
|
@ -25,10 +25,13 @@ let
|
|||
mv -f "$TMP_FILE" '${secretType.path}'
|
||||
'';
|
||||
|
||||
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
|
||||
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
|
||||
isNotRootSecret = st: !(isRootSecret st);
|
||||
|
||||
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
|
||||
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
|
||||
|
||||
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
|
||||
nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
|
||||
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
|
||||
|
||||
secretType = types.submodule ({ config, ... }: {
|
||||
|
@ -62,14 +65,14 @@ let
|
|||
};
|
||||
owner = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
default = "0";
|
||||
description = ''
|
||||
User of the file.
|
||||
'';
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = users.${config.owner}.group;
|
||||
default = users.${config.owner}.group or "0";
|
||||
description = ''
|
||||
Group of the file.
|
||||
'';
|
||||
|
|
Loading…
Reference in a new issue