pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-04-05 01:05:18 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

nixos: enable manifest validation

Browse source
This commit is contained in:
Jörg Thalheim 2020-07-19 19:13:48 +01:00
parent 30c6879b42
commit b395301115
No known key found for this signature in database
GPG key ID: 003F2096411B5F92
2 changed files with 27 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

30
modules/sops/default.nix
View file

@ -80,6 +80,13 @@ let
symlinkPath = "/run/secrets";
inherit (cfg) gnupgHome sshKeyPaths;
});
checkedManifest = pkgs.runCommandNoCC "checked-manifest.json" {
nativeBuildInputs = [ sops-install-secrets ];
} ''
sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} ${manifest}
cp ${manifest} $out
'';
in {
options.sops = {
secrets = mkOption {
@ -97,6 +104,15 @@ in {
'';
};
validateSopsFiles = mkOption {
type = types.bool;
default = true;
description = ''
Check all sops files at evaluation time.
This requires sops files to be added to the nix store.
'';
};
gnupgHome = mkOption {
type = types.nullOr types.str;
default = null;
@ -118,18 +134,22 @@ in {
};
};
config = mkIf (cfg.secrets != {}) {
assertions = [{
assertion = cfg.gnupgHome != null -> cfg.sshKeyPaths == [];
message = "config.sops.gnupgHome and config.sops.sshKeyPaths are mutual exclusive";
message = "Configuration options sops.gnupgHome and sops.sshKeyPaths cannot be set both at the same time";
} {
assertion = cfg.gnupgHome == null -> cfg.sshKeyPaths != [];
message = "Either config.sops.sshKeyPaths and config.sops.gnupgHome must be set";
}];
message = "Either sops.sshKeyPaths and sops.gnupgHome must be set";
}] ++ map (name: let
inherit (cfg.secrets.${name}) sopsFile;
in {
assertion = cfg.validateSopsFiles -> builtins.isPath sopsFile;
message = "${sopsFile} is not in the nix store. Either add it to the nix store or set `sops.validateSopsFiles` to false";
}) (builtins.attrNames cfg.secrets);
system.activationScripts.setup-secrets = stringAfter [ "users" "groups" ] ''
echo setting up secrets...
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${manifest}
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}
'';
};
}