about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-06-04 18:11:24 -0700
committerFranck Cuny <franck@fcuny.net>2022-06-04 18:14:27 -0700
commitbda6e88cfffd40255a1fa2aaf5eeeaf32060a328 (patch)
tree2ba4eaba984da1c9d0be5f756e154bafa8b17f0e
parentfix(secrets): set the owner for buildkite agent secrets (diff)
downloadworld-bda6e88cfffd40255a1fa2aaf5eeeaf32060a328.tar.gz
fix(secrets): pass group and mode to agenix
It took me a while to understand why the group and mode were not set
correctly for the buildkite agent secrets. This module is an abstraction
on top of agenix to modify the filename and ensure that the owner of the
file is actually defined in the configuration.

This was not passing the group and mode to agenix, which is why these
values were never set.

This change modify the library to check that the group exists (as we do
for the user), and pass the mode down.

Change-Id: I7f8545868986110ad92fa63ef8efe4cd3bbd9b0f
Reviewed-on: https://cl.fcuny.net/c/world/+/282
Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to '')
-rw-r--r--modules/secrets/default.nix10
1 files changed, 8 insertions, 2 deletions
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 296f5fc..04d1bfe 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -11,12 +11,18 @@ in {
     secrets = let
       toName = lib.removeSuffix ".age";
       userExists = u: builtins.hasAttr u config.users.users;
-      # Only set the user if it exists, to avoid warnings
+      groupExists = g: builtins.hasAttr g config.users.groups;
+
+      # Only set the user and/or group if they exist, to avoid warnings
       userIfExists = u: if userExists u then u else "root";
+      groupIfExists = g: if groupExists g then g else "root";
+
       toSecret = name:
-        { owner ? "root", ... }: {
+        { owner ? "root", group ? "root", mode ? "0400", ... }: {
           file = "${secretsDir}/${name}";
           owner = lib.mkDefault (userIfExists owner);
+          group = lib.mkDefault (groupIfExists group);
+          mode = mode;
         };
     in if pathExists secretsFile then
       mapAttrs' (n: v: nameValuePair (toName n) (toSecret n v))