# Adapted from https://github.com/Mic92/dotfiles/blob/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix # # All of the users wanting to access any key under /run/keys have to be a # member of the keys group (or be root). This is a hard coded limitation of # NixOS and I haven’t found a way to allow everyone to access /run/keys/ (not a # security problem since the keys themselves are given the right permissions). { config, lib, pkgs, ... }: let secret = lib.types.submodule ({ config, ... }: { options = { name = lib.mkOption { type = lib.types.str; default = config._module.args.name; }; path = lib.mkOption { type = lib.types.str; default = "/run/keys/${config.name}"; }; mode = lib.mkOption { type = lib.types.str; default = "0440"; }; owner = lib.mkOption { type = lib.types.str; default = "root"; }; group = lib.mkOption { type = lib.types.str; default = "root"; }; source = lib.mkOption { type = lib.types.str; default = toString + "/${config.name}"; }; }; }); in { options.krops.secrets = lib.mkOption { type = lib.types.attrsOf secret; default = { }; }; config = lib.mkIf (config.krops.secrets != { }) { system.activationScripts.setup-secrets = let script = '' echo "setting up secrets…" '' + lib.concatMapStringsSep "\n" (secret: '' ${pkgs.coreutils}/bin/install \ -D \ --compare \ --verbose \ --mode=${lib.escapeShellArg secret.mode} \ --owner=${lib.escapeShellArg secret.owner} \ --group=${lib.escapeShellArg secret.group} \ ${lib.escapeShellArg secret.source} \ ${lib.escapeShellArg secret.path} \ || echo "failed to copy ${secret.source} to ${secret.path}" '') (lib.attrValues config.krops.secrets); in lib.stringAfter [ "users" "groups" ] "source ${pkgs.writeText "setup-secrets.sh" script}"; }; }