secrets-store: set ownership after users script

This commit is contained in:
Michele Guerini Rocco 2020-10-26 13:59:06 +01:00
parent 496ddb0ac5
commit 482f35fe87

View File

@ -55,9 +55,11 @@ let
isFile = v: isAttrs v && v.path != ""; isFile = v: isAttrs v && v.path != "";
# Secrets flattened to an index. This is needed # Secret files flattened to an index. This is needed
# to iterate over the set. # to iterate over the set.
flatSecrets = attrsToIndex (v: !isFile v) cfg; secretFiles =
filter (pair: isFile pair.value)
(attrsToIndex (v: !isFile v) cfg);
# Secrets with paths rewritten to the store location # Secrets with paths rewritten to the store location
storedSecrets = mapAttrsRecursiveCond (v: !isFile v) storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
@ -99,27 +101,41 @@ in {
''; '';
}; };
# The user activation script may need access to secrets # The `users` activation script may need access to secrets
config.system.activationScripts.users.deps = [ "secretsStore" ]; config.system.activationScripts.users.deps = [ "secrets-copy" ];
config.system.activationScripts.secretsStore = { # Install secrets, first
deps = [ "stdio" ]; config.system.activationScripts.secrets-copy = {
deps = [ ];
text = text =
'' ''
# Initialise clean directory echo setting up secrets store...
rm -rf /run/secrets rm -rf /run/secrets
'' + concatMapStrings (pair: '' + concatMapStrings (pair:
let let
name = "${concatStringsSep "-" pair.path}"; name = "${concatStringsSep "-" pair.path}";
secret = pair.value; secret = pair.value;
in in
optionalString (isFile secret)
'' ''
# Install secret ${name} # Install secret ${name}
install -m ${secret.mode} \ install -m ${secret.mode} -D ${secret.path} /run/secrets/${name}
-o ${secret.user} -g ${secret.group} \ '') secretFiles;
-D ${secret.path} /run/secrets/${name} };
'') flatSecrets;
# Set secrets ownership, later because the
# `user` activation script hasn't run yet.
config.system.activationScripts.secrets-own = {
deps = [ "secrets-copy" "users" ];
text = concatMapStrings (pair:
let
name = "${concatStringsSep "-" pair.path}";
secret = pair.value;
in
''
echo setting secrets store ownership...
# Set ownership of ${name}
chown ${secret.user}:${secret.group} /run/secrets/${name}
'') secretFiles;
}; };
} }