pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-01-09 23:22:41 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #151 from Mic92/improve-default-ssh

Browse source 
ignore ssh keys deployed with sops
This commit is contained in:
Janne Heß 2021-12-29 19:55:18 +01:00 committed by GitHub
commit 1514ac9fd5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
modules/sops/default.nix
View file

@ -137,7 +137,12 @@ let
${sopsCall}
)
'';
# Skip ssh keys deployed with sops to avoid a catch 22
defaultImportKeys = algo:
if config.services.openssh.enable then
map (e: e.path) (lib.filter (e: e.type == algo && !(lib.hasPrefix "/run/secrets" e.path)) config.services.openssh.hostKeys)
else
[];
in {
options.sops = {
secrets = mkOption {
@ -223,7 +228,7 @@ in {
sshKeyPaths = mkOption {
type = types.listOf types.path;
default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
default = defaultImportKeys "ed25519";
description = ''
Paths to ssh keys added as age keys during sops description.
'';
@ -242,9 +247,7 @@ in {
sshKeyPaths = mkOption {
type = types.listOf types.path;
default = if config.services.openssh.enable then
map (e: e.path) (lib.filter (e: e.type == "rsa") config.services.openssh.hostKeys)
else [];
default = defaultImportKeys "rsa";
description = ''
Path to ssh keys added as GPG keys during sops description.
This option must be explicitly unset if <literal>config.sops.gnupg.sshKeyPaths</literal> is set.