mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 01:30:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

install root owned secrets sooner

Browse source
This commit is contained in:
Ryan Mulligan 2020-09-09 20:41:26 -07:00
parent d2dc883f3a
commit aecba55db6
1 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
modules/age.nix
View file

@ -14,7 +14,12 @@ let
chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
mv -f "$TMP_FILE" '${secretType.path}'
'';
installAllSecrets = builtins.concatStringsSep "\n" (map installSecret (builtins.attrValues cfg.secrets));
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
installRootOwnedSecrets = builtins.concatStringsSep "\n" (map installSecret rootOwnedSecrets);
nonRootSecrets = builtins.filter (st: st.owner != "root" && st.group != "root") (builtins.attrValues cfg.secrets);
installNonRootSecrets = builtins.concatStringsSep "\n" (map installSecret nonRootSecrets);
secretType = types.submodule ({ config, ... }: {
options = {
@ -86,6 +91,12 @@ in {
message = "age.sshKeyPaths must be set.";
}];
system.activationScripts.setup-secrets = stringAfter [ "users" "groups" ] installAllSecrets;
# Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = installRootOwnedSecrets;
system.activationScripts.users.deps = [ "agenixRoot" ];
# Other secrets need to wait for users and groups to exist.
system.activationScripts.agenix = stringAfter [ "users" "groups" ] installNonRootSecrets;
};
}