feature: use uid 0 and gid 0 as default owner and group (consider them root)

This assumes that the root user is always uid 0 and gid 0, which I
believe is a safe assumption. The reason to add this is because when a
declarative VM (for example, a NixOS test) or image boots the first
time, the installRootOwnedSecrets activation script runs BEFORE the
"users" and "groups" activation scripts, so the user and group for
root is not created. Using uid 0 and gid 0 gets around the root user
not being set up yet.
This commit is contained in:
Ryan Mulligan 2021-05-09 14:18:20 -07:00
parent ecee2c76b9
commit 6aec6889ba

View file

@ -25,10 +25,13 @@ let
mv -f "$TMP_FILE" '${secretType.path}' mv -f "$TMP_FILE" '${secretType.path}'
''; '';
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets); isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
isNotRootSecret = st: !(isRootSecret st);
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets)); installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets); nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets)); installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
secretType = types.submodule ({ config, ... }: { secretType = types.submodule ({ config, ... }: {
@ -62,14 +65,14 @@ let
}; };
owner = mkOption { owner = mkOption {
type = types.str; type = types.str;
default = "root"; default = "0";
description = '' description = ''
User of the file. User of the file.
''; '';
}; };
group = mkOption { group = mkOption {
type = types.str; type = types.str;
default = users.${config.owner}.group; default = users.${config.owner}.group or "0";
description = '' description = ''
Group of the file. Group of the file.
''; '';