modules/userSecret.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# "secret" consumer
{ config, lib, ... }:
{
  options.users.users = lib.mkOption {
    type = lib.types.attrsOf (lib.types.submodule {
      options.passwordSecret = lib.mkOption {
        type = lib.types.nullOr config.contracts.secret.consumer;
      };
    });
  };
  config = {
    # TODO other users than root
    users.users.root.passwordFile =
      lib.mkIf (config.users.users.root.passwordSecret != null)
        config.users.users.root.passwordSecret.output.path;

    users.users.root.passwordSecret.input =
      lib.mkIf (config.users.users.root.passwordSecret != null) {
        owner = "root";
        group = "root";
        mode = "0400";
      };
  };
}