Allow setting user passwords

2025-12-26 22:24:59 +08:00 · 2021-10-19 18:26:43 +02:00 · 2021-10-19 18:26:43 +02:00 · bac08f6919
commit bac08f6919
parent 79706f6748
4 changed files with 142 additions and 51 deletions
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@ -102,14 +102,16 @@ const (
 )

 type options struct {
-	checkMode CheckMode
-	manifest  string
+	checkMode    CheckMode
+	manifest     string
+	ignorePasswd bool
 }

 type appContext struct {
-	manifest    manifest
-	secretFiles map[string]secretFile
-	checkMode   CheckMode
+	manifest     manifest
+	secretFiles  map[string]secretFile
+	checkMode    CheckMode
+	ignorePasswd bool
 }

 func secureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
@ -451,7 +453,10 @@ func (app *appContext) validateSecret(secret *secret) error {
 	}
 	secret.mode = os.FileMode(mode)

-	if app.checkMode == Off {
+	if app.ignorePasswd {
+		secret.owner = 0
+		secret.group = 0
+	} else if app.checkMode == Off {
 		// we only access to the user/group during deployment
 		owner, err := user.Lookup(secret.Owner)
 		if err != nil {
@ -785,6 +790,7 @@ func parseFlags(args []string) (*options, error) {
 	}
 	var checkMode string
 	fs.StringVar(&checkMode, "check-mode", "off", `Validate configuration without installing it (possible values: "manifest","sopsfile","off")`)
+	fs.BoolVar(&opts.ignorePasswd, "ignore-passwd", false, `Don't look up anything in /etc/passwd. Causes everything to be owned by root:root`)
 	if err := fs.Parse(args[1:]); err != nil {
 		return nil, err
 	}
@ -816,9 +822,10 @@ func installSecrets(args []string) error {
 	}

 	app := appContext{
-		manifest:    *manifest,
-		checkMode:   opts.checkMode,
-		secretFiles: make(map[string]secretFile),
+		manifest:     *manifest,
+		checkMode:    opts.checkMode,
+		ignorePasswd: opts.ignorePasswd,
+		secretFiles:  make(map[string]secretFile),
 	}

 	if err := app.validateManifest(); err != nil {
@ -829,9 +836,14 @@ func installSecrets(args []string) error {
 		return nil
 	}

-	keysGid, err := lookupKeysGroup()
-	if err != nil {
-		return err
+	var keysGid int
+	if opts.ignorePasswd {
+		keysGid = 0
+	} else {
+		keysGid, err = lookupKeysGroup()
+		if err != nil {
+			return err
+		}
 	}

 	isDry := os.Getenv("NIXOS_ACTION") == "dry-activate"
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@ -23,6 +23,34 @@
   inherit (pkgs) system;
 };

+  user-passwords = makeTest {
+    name = "sops-user-passwords";
+    machine = {
+      imports = [ ../../modules/sops ];
+      sops = {
+        age.keyFile = ./test-assets/age-keys.txt;
+        defaultSopsFile = ./test-assets/secrets.yaml;
+        secrets.test_key.neededForUsers = true;
+        secrets."nested/test/file".owner = "example-user";
+      };
+
+      users.users.example-user = {
+        isNormalUser = true;
+        passwordFile = "/run/secrets-for-users/test_key";
+      };
+    };
+
+    testScript = ''
+      start_all()
+      machine.succeed("getent shadow example-user | grep -q :test_value:")  # password was set
+      machine.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")  # regular secrets work...
+      machine.succeed("[ $(stat -c%U /run/secrets/nested/test/file) = example-user ]")  # ...and are owned
+    '';
+  } {
+    inherit pkgs;
+    inherit (pkgs) system;
+  };
+
 age-keys = makeTest {
   name = "sops-age-keys";
   machine = {