From bda6e88cfffd40255a1fa2aaf5eeeaf32060a328 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 4 Jun 2022 18:11:24 -0700 Subject: fix(secrets): pass group and mode to agenix It took me a while to understand why the group and mode were not set correctly for the buildkite agent secrets. This module is an abstraction on top of agenix to modify the filename and ensure that the owner of the file is actually defined in the configuration. This was not passing the group and mode to agenix, which is why these values were never set. This change modify the library to check that the group exists (as we do for the user), and pass the mode down. Change-Id: I7f8545868986110ad92fa63ef8efe4cd3bbd9b0f Reviewed-on: https://cl.fcuny.net/c/world/+/282 Reviewed-by: Franck Cuny --- modules/secrets/default.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'modules/secrets') diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index 296f5fc..04d1bfe 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -11,12 +11,18 @@ in { secrets = let toName = lib.removeSuffix ".age"; userExists = u: builtins.hasAttr u config.users.users; - # Only set the user if it exists, to avoid warnings + groupExists = g: builtins.hasAttr g config.users.groups; + + # Only set the user and/or group if they exist, to avoid warnings userIfExists = u: if userExists u then u else "root"; + groupIfExists = g: if groupExists g then g else "root"; + toSecret = name: - { owner ? "root", ... }: { + { owner ? "root", group ? "root", mode ? "0400", ... }: { file = "${secretsDir}/${name}"; owner = lib.mkDefault (userIfExists owner); + group = lib.mkDefault (groupIfExists group); + mode = mode; }; in if pathExists secretsFile then mapAttrs' (n: v: nameValuePair (toName n) (toSecret n v)) -- cgit 1.4.1