pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 06:04:57 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add uid and gid to templates

Browse source
This commit is contained in:
David Kowis 2025-01-17 23:23:32 -06:00 committed by Jörg Thalheim
parent b33837ae3c
commit 787afce414
4 changed files with 107 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

20
checks/darwin.nix
View file

@ -8,9 +8,23 @@
];
documentation.enable = false;
sops.secrets.test_key = { };
sops.templates."template.toml".content = ''
password = "${config.sops.placeholder.test_key}";
'';
sops.templates."template.toml" = {
content = ''
password = "${config.sops.placeholder.test_key}";
'';
};
sops.templates."template-with-uid.toml" = {
content = ''
password = "${config.sops.placeholder.test_key}";
'';
uid = 1000;
};
sops.templates."template-with-gid.toml" = {
content = ''
password = "${config.sops.placeholder.test_key}";
'';
gid = 1000;
};
sops.defaultSopsFile = ../pkgs/sops-install-secrets/test-assets/secrets.yaml;
sops.age.generateKey = true;
system.stateVersion = 5;

10
checks/nixos-test.nix
View file

@ -321,6 +321,14 @@ in
path = "/etc/externally/linked";
};
sops.templates.test_uid_gid = {
uid = 420;
gid = 420;
content = ''
Test value: ${config.sops.placeholder.test_key}
'';
};
users.groups.somegroup = { };
users.users.someuser = {
isSystemUser = true;
@ -339,6 +347,8 @@ in
machine.succeed("[ $(stat -c%G /run/secrets/rendered/test_template) = 'somegroup' ]")
machine.succeed("[ $(stat -c%U /run/secrets/rendered/test_default) = 'root' ]")
machine.succeed("[ $(stat -c%G /run/secrets/rendered/test_default) = 'root' ]")
machine.succeed("[ $(stat -c%u /run/secrets/rendered/test_uid_gid) = '420' ]")
machine.succeed("[ $(stat -c%g /run/secrets/rendered/test_uid_gid) = '420' ]")
expected = """\
This line is not modified.

46
modules/nix-darwin/templates/default.nix
View file

@ -49,18 +49,32 @@ in
'';
};
owner = mkOption {
type = types.singleLineStr;
default = "root";
type = with lib.types; nullOr singleLineStr;
default = null;
description = ''
User of the file.
User of the file. Can only be set if uid is 0;
'';
};
uid = mkOption {
type = with lib.types; nullOr int;
default = 0;
description = ''
UID of the template, only applied with owner is null. the UID will be applied even if the corresponding user doesn't exist.
'';
};
group = mkOption {
type = types.singleLineStr;
default = "staff";
type = with lib.types; nullOr singleLineStr;
default = if config.owner != null then "staff" else null;
defaultText = "staff";
description = ''
Group of the file. Default on darwin in staff.
Group of the file. Can only be set if gid is 0. Default on darwin to 'staff'
'';
};
gid = mkOption {
type = with lib.types; nullOr int;
default = 0;
description = ''
GID of the template, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist.
'';
};
file = mkOption {
@ -97,6 +111,26 @@ in
sops.placeholder = mapAttrs (
name: _: mkDefault "<SOPS:${builtins.hashString "sha256" name}:PLACEHOLDER>"
) config.sops.secrets;
assertions =
lib.mapAttrsToList (name: cfg: {
assertion = !(cfg.owner != null && cfg.uid != 0);
message = ''
Assertion failed for `sops.templates.${name}`:
Both `owner` and `uid` cannot be defined at the same time. Use either `owner` or leave `uid` as 0.
owner: ${cfg.owner}
uid: ${toString cfg.uid}
'';
}) (lib.traceVal config.sops.templates)
++ lib.mapAttrsToList (name: cfg: {
assertion = !(cfg.group != null && cfg.gid != 0);
message = ''
Assertion failed for `sops.templates.${name}`:
Both `group` and `gid` cannot be defined at the same time. Use either `group` or leave `gid` as 0.
owner: ${cfg.group}
uid: ${toString cfg.gid}
'';
}) config.sops.templates;
}
);
}

46
modules/sops/templates/default.nix
View file

@ -52,18 +52,32 @@ in
'';
};
owner = mkOption {
type = types.singleLineStr;
default = "root";
type = with lib.types; nullOr singleLineStr;
default = null;
description = ''
User of the file.
User of the file. Can only be set if uid is 0;
'';
};
uid = mkOption {
type = with lib.types; nullOr int;
default = 0;
description = ''
UID of the template, only applied with owner is null. the UID will be applied even if the corresponding user doesn't exist.
'';
};
group = mkOption {
type = types.singleLineStr;
default = users.${config.owner}.group;
type = with lib.types; nullOr singleLineStr;
default = if config.owner != null then users.${config.owner}.group else null;
defaultText = lib.literalExpression ''config.users.users.''${cfg.owner}.group'';
description = ''
Group of the file.
Group of the file. Can only be set if gid is 0.
'';
};
gid = mkOption {
type = with lib.types; nullOr int;
default = 0;
description = ''
GID of the template, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist.
'';
};
file = mkOption {
@ -118,6 +132,26 @@ in
sops.placeholder = mapAttrs (
name: _: mkDefault "<SOPS:${builtins.hashString "sha256" name}:PLACEHOLDER>"
) config.sops.secrets;
assertions =
lib.mapAttrsToList (name: cfg: {
assertion = !(cfg.owner != null && cfg.uid != 0);
message = ''
Assertion failed for `sops.templates.${name}`:
Both `owner` and `uid` cannot be defined at the same time. Use either `owner` or leave `uid` as 0.
owner: ${cfg.owner}
uid: ${toString cfg.uid}
'';
}) config.sops.templates
++ lib.mapAttrsToList (name: cfg: {
assertion = !(cfg.group != null && cfg.gid != 0);
message = ''
Assertion failed for `sops.templates.${name}`:
Both `group` and `gid` cannot be defined at the same time. Use either `group` or leave `gid` as 0.
owner: ${cfg.group}
uid: ${toString cfg.gid}
'';
}) config.sops.templates;
}
);
}