Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option for choosing which activation method to use #39

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add option for choosing which activation method to use #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions modules/sops/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ let
sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} ${manifest}
cp ${manifest} $out
'';

setupScript = ''
echo setting up secrets...
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}
'';
in {
options.sops = {
secrets = mkOption {
Expand Down Expand Up @@ -140,6 +145,15 @@ in {
This option must be explicitly unset if <literal>config.sops.sshKeyPaths</literal>.
'';
};

activationMethod = mkOption {
type = types.enum [ "script" "systemd" ];
default = "script";
description = ''
Which method to use for setting up secrets. Use `script` for an
activation script, and `systemd` for a systemd unit.
Copy link
Owner

@Mic92 Mic92 Nov 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think systemd is the way to go to use all features of sops-nix. I am thinking about deprecating the activation script method.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I change this PR to reflect this? I'd be happy to do it.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope I get to hack next weekend again on sops-nix: systemd/systemd#16568 (comment)
I prepared systemd socket activation and with this PR systemd/systemd#17510 I should be able to implement it properly and ready for networked KMS.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be more explicit with socket-based secret description it is easier to make systemd wait for secrets to become available without having to specify explicit dependencies. This was my major concern with having sops-nix running as a systemd service instead of activation script. I hope to be able to implement this soonish.

'';
};
};
config = mkIf (cfg.secrets != {}) {
assertions = [{
Expand All @@ -155,9 +169,13 @@ in {
message = "${sopsFile} is not in the nix store. Either add it to the nix store or set `sops.validateSopsFiles` to false";
}) (builtins.attrNames cfg.secrets);

system.activationScripts.setup-secrets = stringAfter [ "users" "groups" ] ''
echo setting up secrets...
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}
'';
system.activationScripts.setup-secrets = mkIf (cfg.activationMethod == "script") (stringAfter [ "users" "groups" ] setupScript);

systemd.services.sops-nix-setup-secrets = mkIf (cfg.activationMethod == "systemd") {
description = "sops-nix secrets setup";
script = setupScript;
serviceConfig.Type = "oneshot";
wantedBy = [ "default.target" ];
};
};
}