From 787afce414bcce803b605c510b60bf43c11f4b55 Mon Sep 17 00:00:00 2001 From: David Kowis Date: Fri, 17 Jan 2025 23:23:32 -0600 Subject: [PATCH] add uid and gid to templates --- checks/darwin.nix | 20 +++++++++-- checks/nixos-test.nix | 10 ++++++ modules/nix-darwin/templates/default.nix | 46 ++++++++++++++++++++---- modules/sops/templates/default.nix | 46 ++++++++++++++++++++---- 4 files changed, 107 insertions(+), 15 deletions(-) diff --git a/checks/darwin.nix b/checks/darwin.nix index fe67b43..de06e4e 100644 --- a/checks/darwin.nix +++ b/checks/darwin.nix @@ -8,9 +8,23 @@ ]; documentation.enable = false; sops.secrets.test_key = { }; - sops.templates."template.toml".content = '' - password = "${config.sops.placeholder.test_key}"; - ''; + sops.templates."template.toml" = { + content = '' + password = "${config.sops.placeholder.test_key}"; + ''; + }; + sops.templates."template-with-uid.toml" = { + content = '' + password = "${config.sops.placeholder.test_key}"; + ''; + uid = 1000; + }; + sops.templates."template-with-gid.toml" = { + content = '' + password = "${config.sops.placeholder.test_key}"; + ''; + gid = 1000; + }; sops.defaultSopsFile = ../pkgs/sops-install-secrets/test-assets/secrets.yaml; sops.age.generateKey = true; system.stateVersion = 5; diff --git a/checks/nixos-test.nix b/checks/nixos-test.nix index 95c7a12..7a113fc 100644 --- a/checks/nixos-test.nix +++ b/checks/nixos-test.nix @@ -321,6 +321,14 @@ in path = "/etc/externally/linked"; }; + sops.templates.test_uid_gid = { + uid = 420; + gid = 420; + content = '' + Test value: ${config.sops.placeholder.test_key} + ''; + }; + users.groups.somegroup = { }; users.users.someuser = { isSystemUser = true; @@ -339,6 +347,8 @@ in machine.succeed("[ $(stat -c%G /run/secrets/rendered/test_template) = 'somegroup' ]") machine.succeed("[ $(stat -c%U /run/secrets/rendered/test_default) = 'root' ]") machine.succeed("[ $(stat -c%G /run/secrets/rendered/test_default) = 'root' ]") + machine.succeed("[ $(stat -c%u /run/secrets/rendered/test_uid_gid) = '420' ]") + machine.succeed("[ $(stat -c%g /run/secrets/rendered/test_uid_gid) = '420' ]") expected = """\ This line is not modified. diff --git a/modules/nix-darwin/templates/default.nix b/modules/nix-darwin/templates/default.nix index da1dcbb..53fa28d 100644 --- a/modules/nix-darwin/templates/default.nix +++ b/modules/nix-darwin/templates/default.nix @@ -49,18 +49,32 @@ in ''; }; owner = mkOption { - type = types.singleLineStr; - default = "root"; + type = with lib.types; nullOr singleLineStr; + default = null; description = '' - User of the file. + User of the file. Can only be set if uid is 0; + ''; + }; + uid = mkOption { + type = with lib.types; nullOr int; + default = 0; + description = '' + UID of the template, only applied with owner is null. the UID will be applied even if the corresponding user doesn't exist. ''; }; group = mkOption { - type = types.singleLineStr; - default = "staff"; + type = with lib.types; nullOr singleLineStr; + default = if config.owner != null then "staff" else null; defaultText = "staff"; description = '' - Group of the file. Default on darwin in staff. + Group of the file. Can only be set if gid is 0. Default on darwin to 'staff' + ''; + }; + gid = mkOption { + type = with lib.types; nullOr int; + default = 0; + description = '' + GID of the template, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist. ''; }; file = mkOption { @@ -97,6 +111,26 @@ in sops.placeholder = mapAttrs ( name: _: mkDefault "" ) config.sops.secrets; + + assertions = + lib.mapAttrsToList (name: cfg: { + assertion = !(cfg.owner != null && cfg.uid != 0); + message = '' + Assertion failed for `sops.templates.${name}`: + Both `owner` and `uid` cannot be defined at the same time. Use either `owner` or leave `uid` as 0. + owner: ${cfg.owner} + uid: ${toString cfg.uid} + ''; + }) (lib.traceVal config.sops.templates) + ++ lib.mapAttrsToList (name: cfg: { + assertion = !(cfg.group != null && cfg.gid != 0); + message = '' + Assertion failed for `sops.templates.${name}`: + Both `group` and `gid` cannot be defined at the same time. Use either `group` or leave `gid` as 0. + owner: ${cfg.group} + uid: ${toString cfg.gid} + ''; + }) config.sops.templates; } ); } diff --git a/modules/sops/templates/default.nix b/modules/sops/templates/default.nix index fb3fb2c..d6810a5 100644 --- a/modules/sops/templates/default.nix +++ b/modules/sops/templates/default.nix @@ -52,18 +52,32 @@ in ''; }; owner = mkOption { - type = types.singleLineStr; - default = "root"; + type = with lib.types; nullOr singleLineStr; + default = null; description = '' - User of the file. + User of the file. Can only be set if uid is 0; + ''; + }; + uid = mkOption { + type = with lib.types; nullOr int; + default = 0; + description = '' + UID of the template, only applied with owner is null. the UID will be applied even if the corresponding user doesn't exist. ''; }; group = mkOption { - type = types.singleLineStr; - default = users.${config.owner}.group; + type = with lib.types; nullOr singleLineStr; + default = if config.owner != null then users.${config.owner}.group else null; defaultText = lib.literalExpression ''config.users.users.''${cfg.owner}.group''; description = '' - Group of the file. + Group of the file. Can only be set if gid is 0. + ''; + }; + gid = mkOption { + type = with lib.types; nullOr int; + default = 0; + description = '' + GID of the template, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist. ''; }; file = mkOption { @@ -118,6 +132,26 @@ in sops.placeholder = mapAttrs ( name: _: mkDefault "" ) config.sops.secrets; + + assertions = + lib.mapAttrsToList (name: cfg: { + assertion = !(cfg.owner != null && cfg.uid != 0); + message = '' + Assertion failed for `sops.templates.${name}`: + Both `owner` and `uid` cannot be defined at the same time. Use either `owner` or leave `uid` as 0. + owner: ${cfg.owner} + uid: ${toString cfg.uid} + ''; + }) config.sops.templates + ++ lib.mapAttrsToList (name: cfg: { + assertion = !(cfg.group != null && cfg.gid != 0); + message = '' + Assertion failed for `sops.templates.${name}`: + Both `group` and `gid` cannot be defined at the same time. Use either `group` or leave `gid` as 0. + owner: ${cfg.group} + uid: ${toString cfg.gid} + ''; + }) config.sops.templates; } ); }