feat(nixos): add user password secrets to sops
This commit adds the user password secrets to sops. It leverages the `userListToAttrs` lib function.
This commit is contained in:
parent
782a4324a8
commit
4ff7b8e18f
5 changed files with 42 additions and 15 deletions
|
|
@ -18,17 +18,22 @@ in
|
|||
type = lazyAttrsOf raw;
|
||||
default = { };
|
||||
};
|
||||
root = mkOption {
|
||||
type = path;
|
||||
default = "";
|
||||
paths = {
|
||||
root = mkOption { type = path; };
|
||||
secrets = mkOption {
|
||||
type = path;
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
admin = mkOption {
|
||||
type = lazyAttrsOf raw;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
|
||||
config.flake.admin = cfg.manifest.users.${username} // {
|
||||
inherit username;
|
||||
config.flake = {
|
||||
paths.secrets = cfg.paths.root + "/secrets";
|
||||
admin = cfg.manifest.users.${username} // {
|
||||
inherit username;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,12 +16,9 @@ in
|
|||
{ config, ... }:
|
||||
{
|
||||
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||
config.sops = {
|
||||
defaultSopsFile = "${cfg.root}/secrets/secrets.yaml";
|
||||
age.sshKeyPaths = [
|
||||
"/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
|
||||
];
|
||||
};
|
||||
config.sops.age.sshKeyPaths = [
|
||||
"/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
|
||||
];
|
||||
};
|
||||
perSystem =
|
||||
{ pkgs, ... }:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.flake;
|
||||
inherit (cfg.lib.modules) forAllUsers';
|
||||
inherit (cfg.lib.modules) userListToAttrs forAllUsers';
|
||||
inherit (lib.lists) optional;
|
||||
in
|
||||
{
|
||||
|
|
@ -19,13 +19,20 @@ in
|
|||
mutableUsers = false;
|
||||
groups.users.gid = 100;
|
||||
users = forAllUsers' (
|
||||
_: value: {
|
||||
name: value: {
|
||||
isNormalUser = true;
|
||||
hashedPasswordFile = config.sops.secrets."${name}/hashedPassword".path;
|
||||
extraGroups = optional (value.primary or false) "wheel";
|
||||
openssh.authorizedKeys.keys = [ value.pubkey ];
|
||||
}
|
||||
);
|
||||
};
|
||||
sops.secrets = userListToAttrs (name: {
|
||||
"${name}/hashedPassword" = {
|
||||
neededForUsers = true;
|
||||
sopsFile = cfg.paths.secrets + "/users.yaml";
|
||||
};
|
||||
});
|
||||
home-manager.users = forAllUsers' (
|
||||
name: _: {
|
||||
home.username = name;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue