make sops-install-secrets work with sysusers

2025-12-26 14:14:58 +08:00 · 2024-02-08 14:47:26 +01:00 · 2024-02-08 14:47:26 +01:00 · 695275c349
commit 695275c349
parent 2eb7c4ba3a
3 changed files with 100 additions and 47 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:

 let
  cfg = config.sops;
@ -12,6 +12,8 @@ let

  regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;

+  sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
+
  withEnvironment = import ./with-environment.nix {
    inherit cfg lib;
  };
@ -312,8 +314,22 @@ in {

      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");

+      # When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later.
+      systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && sysusersEnabled) {
+        wantedBy = [  "sysinit.target" ];
+        after = [ "systemd-sysusers.service" ];
+        environment = cfg.environment;
+        unitConfig.DefaultDependencies = "no";
+
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = [ "${cfg.package}/bin/sops-install-secrets ${manifest}" ];
+          RemainAfterExit = true;
+        };
+      };
+
      system.activationScripts = {
-        setupSecrets = lib.mkIf (regularSecrets != {}) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
+        setupSecrets = lib.mkIf (regularSecrets != {} && !sysusersEnabled) (lib.stringAfter ([ "specialfs" "users" "groups" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
          [ -e /run/current-system ] || echo setting up secrets...
          ${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
        '' // lib.optionalAttrs (config.system ? dryActivationScript) {
--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ lib, options, config, pkgs, ... }:
 let
  cfg = config.sops;
  secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
@ -13,24 +13,42 @@ let
    secretsMountPoint = "/run/secrets-for-users.d";
    symlinkPath = "/run/secrets-for-users";
  };
+  sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
 in
 {
-  system.activationScripts = lib.mkIf (secretsForUsers != {}) {
-    setupSecretsForUsers = lib.mkIf (secretsForUsers != {}) (lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
-      [ -e /run/current-system ] || echo setting up secrets for users...
-      ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
-    '' // lib.optionalAttrs (config.system ? dryActivationScript) {
-    supportsDryActivation = true;
-    });
+  systemd.services.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != { } && sysusersEnabled) {
+    wantedBy = [  "systemd-sysusers.service" ];
+    before = [ "systemd-sysusers.service" ];
+    environment = cfg.environment;
+    unitConfig.DefaultDependencies = "no";

-    users = lib.mkIf (secretsForUsers != {}) {
-      deps = [ "setupSecretsForUsers" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = [ "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}" ];
+      RemainAfterExit = true;
    };
  };

+  system.activationScripts = lib.mkIf (secretsForUsers != { } && !sysusersEnabled) {
+    setupSecretsForUsers = lib.stringAfter ([ "specialfs" ] ++ lib.optional cfg.age.generateKey "generate-age-key") ''
+      [ -e /run/current-system ] || echo setting up secrets for users...
+      ${withEnvironment "${cfg.package}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
+    '' // lib.optionalAttrs (config.system ? dryActivationScript) {
+      supportsDryActivation = true;
+    };
+
+    users.deps = [ "setupSecretsForUsers" ];
+  };
+
  assertions = [{
-    assertion = (lib.filterAttrs (_: v: v.owner != "root" || v.group != "root") secretsForUsers) == {};
+    assertion = (lib.filterAttrs (_: v: v.owner != "root" || v.group != "root") secretsForUsers) == { };
    message = "neededForUsers cannot be used for secrets that are not root-owned";
+  } {
+    assertion = secretsForUsers != { } && sysusersEnabled -> config.users.mutableUsers;
+    message = ''
+      systemd.sysusers.enable in combination with sops.secrets.<name>.neededForUsers can only work with config.users.mutableUsers enabled.
+      See https://github.com/Mic92/sops-nix/issues/475
+    '';
  }];

  system.build.sops-nix-users-manifest = manifestForUsers;