From 6aec6889ba1f0cb72637928cabcfebb70950dfc7 Mon Sep 17 00:00:00 2001
From: Ryan Mulligan <ryan@ryantm.com>
Date: Sun, 9 May 2021 14:18:20 -0700
Subject: [PATCH] feature: use uid 0 and gid 0 as default owner and group
 (consider them root)

This assumes that the root user is always uid 0 and gid 0, which I
believe is a safe assumption. The reason to add this is because when a
declarative VM (for example, a NixOS test) or image boots the first
time, the installRootOwnedSecrets activation script runs BEFORE the
"users" and "groups" activation scripts, so the user and group for
root is not created. Using uid 0 and gid 0 gets around the root user
not being set up yet.
---
 modules/age.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/age.nix b/modules/age.nix
index a840974..2b55673 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -25,10 +25,13 @@ let
     mv -f "$TMP_FILE" '${secretType.path}'
   '';
 
-  rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
+  isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
+  isNotRootSecret = st: !(isRootSecret st);
+
+  rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
   installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
 
-  nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
+  nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
   installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
 
   secretType = types.submodule ({ config, ... }: {
@@ -62,14 +65,14 @@ let
       };
       owner = mkOption {
         type = types.str;
-        default = "root";
+        default = "0";
         description = ''
           User of the file.
         '';
       };
       group = mkOption {
         type = types.str;
-        default = users.${config.owner}.group;
+        default = users.${config.owner}.group or "0";
         description = ''
           Group of the file.
         '';