Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set.

``` sops.secrets = { sslCertificate = { sopsFile = ./secrets.yaml; owner = ""; group = ""; uid = config.containers."nginx".config.users.users."nginx".uid; gid = config.containers."nginx".config.users.groups."nginx".gid; }; sslCertificateKey = { sopsFile = ./secrets.yaml; owner = ""; group = ""; uid = config.containers."nginx".config.users.users."nginx".uid; gid = config.containers."nginx".config.users.groups."nginx".gid; }; }; ``` Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2025-12-26 22:24:59 +08:00 · 2024-10-16 01:30:11 +02:00 · 2024-10-16 01:30:11 +02:00 · a4c33bfecb
commit a4c33bfecb
parent 26642e8f19
5 changed files with 132 additions and 44 deletions
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -73,18 +73,32 @@ let
        '';
      };
      owner = lib.mkOption {
-        type = lib.types.str;
-        default = "root";
+        type = with lib.types; nullOr str;
+        default = null;
        description = ''
-          User of the file.
+          User of the file. Can only be set if uid is 0.
+        '';
+      };
+      uid = lib.mkOption {
+        type = with lib.types; nullOr int;
+        default = 0;
+        description = ''
+          UID of the file, only applied when owner is null. The UID will be applied even if the corresponding user doesn't exist.
        '';
      };
      group = lib.mkOption {
-        type = lib.types.str;
-        default = users.${config.owner}.group;
+        type = with lib.types; nullOr str;
+        default = if config.owner != null then users.${config.owner}.group else null;
        defaultText = lib.literalMD "{option}`config.users.users.\${owner}.group`";
        description = ''
-          Group of the file.
+          Group of the file. Can only be set if gid is 0.
+        '';
+      };
+      gid = lib.mkOption {
+        type = with lib.types; nullOr int;
+        default = 0;
+        description = ''
+          GID of the file, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist.
        '';
      };
      sopsFile = lib.mkOption {
@ -318,6 +332,12 @@ in {
            builtins.isPath secret.sopsFile ||
            (builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
          message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
+        } {
+          assertion = secret.uid != null && secret.uid != 0 -> secret.owner == null;
+          message = "In ${secret.name} exactly one of sops.owner and sops.uid must be set";
+        } {
+          assertion = secret.gid != null && secret.gid != 0 -> secret.group == null;
+          message = "In ${secret.name} exactly one of sops.group and sops.gid must be set";
        }]) cfg.secrets)
      );

--- a/modules/sops/secrets-for-users/default.nix
+++ b/modules/sops/secrets-for-users/default.nix
@ -43,7 +43,7 @@ in
  };

  assertions = [{
-    assertion = (lib.filterAttrs (_: v: v.owner != "root" || v.group != "root") secretsForUsers) == { };
+    assertion = (lib.filterAttrs (_: v: (v.uid != 0 && v.owner != "root") || (v.gid != 0 && v.group != "root")) secretsForUsers) == { };
    message = "neededForUsers cannot be used for secrets that are not root-owned";
  } {
    assertion = secretsForUsers != { } && sysusersEnabled -> config.users.mutableUsers;