modules/userSecret.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# "secret" consumer
{ config, lib, ... }:
{
  options.users.users = lib.mkOption {
    type = lib.types.attrsOf (lib.types.submodule {
      options.passwordSecret = lib.mkOption {
        type = lib.types.nullOr config.contracts.secret.consumer;
      };
    });
  };
  config = {
    # TODO other users than root
    users.users.root.passwordFile = lib.mkIf (config.users.users.root.passwordSecret != null) config.users.users.root.passwordSecret.output.path;
   users.users.root.passwordSecret.input = lib.mkIf (config.users.users.root.passwordSecret != null) {
       owner = "root";
       group = "root";
       mode = "0400";
   };
  };
}