added duplicate paths check

jordanisaacs · Nov 11, 2021 · 7377b74 · 7377b74
1 parent bc7900d
commit 7377b74
Showing 1 changed file with 81 additions and 12 deletions.
diff --git a/module/default.nix b/module/default.nix
@@ -4,12 +4,10 @@ with lib;
 let
   cfg = config.homeage;
 
-  # All files are decrypted to /run/user and cleaned up when rebooted
-  startupDecryptFolder = cfg.startupMount;
-
   ageBin = if cfg.isRage then "${cfg.pkg}/bin/rage" else "${cfg.pkg}/bin/age";
+  startupDecryptPath = path: cfg.startupMount + "/" + path;
+  activationDecryptPath = path: cfg.activationMount + "/" + path;
 
-  runtimeDecryptPath = path: cfg.startupMount + "/" + path;
 
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);
 
@@ -18,9 +16,9 @@ let
     ${command} ${runtimepath} ${dest}
   '')) destinations);
 
-  decryptSecret = name: { source, path, symlinks, cpOnService, mode, owner, group, ... }:
+  decryptSecret = name: { source, decryptPath, mode, owner, group, lnOnStartup, cpOnStartup, ... }:
     let
-      runtimepath = startupDecryptFolder path;
+      runtimepath = startupDecryptPath decryptPath;
       linksCmds = createFiles "ln -sf" runtimepath lnOnStartup;
       copiesCmds = createFiles "cp -f" runtimepath cpOnStartup;
     in
@@ -140,7 +138,7 @@ in
     };
 
     startupMount = mkOption {
-      type = types.str;
+      type = types.nullOr types.str;
       description = ''
         Absolute path to folder where startup decrypted files are stored.
 
@@ -150,7 +148,7 @@ in
     };
 
     activationMount = mkOption {
-      type = types.str;
+      type = types.nullOr types.str;
       description = "Absolute path to folder where activation decrypted files are stored.";
     };
 
@@ -196,18 +194,89 @@ in
 
   config = mkIf (cfg.file != { }) (mkMerge [
     {
-      assertions = [{
-        assertion = cfg.identityPaths != [ ];
-        message = "secret.identityPaths must be set.";
-      }];
+      assertions =
+        let
+          makePathVal = path: { ${path} = 1; };
+          pathsToCount = with builtins; list:
+            map (path: makePathVal path) list;
+
+          secretRuntimePaths =
+            # [ { path1 = 1} { path2 = 1 } { path1 = 1 } { path3 = 1 }]
+            concatLists
+              # [ [ { path1 = 1} { path2 = 1 } ] [ { path1 = 1 } { path3 = 1 }]
+              (mapAttrsToList
+                (name: value:
+                  (
+                    (if (length value.lnOnStartup > 0 && cfg.startupMount != null) then [
+                      (makePathVal (startupDecryptPath value.decryptPath))
+                    ] else [ ]) ++
+                    (if (length value.lnOnActivation > 0 && cfg.activationMount != null) then [
+                      (makePathVal (activationDecryptPath value.decryptPath))
+                    ] else [ ]) ++
+                    (pathsToCount value.lnOnStartup) ++
+                    (pathsToCount value.lnOnActivation) ++
+                    (pathsToCount value.cpOnStartup) ++
+                    (pathsToCount value.cpOnStartup)
+                  )
+                )
+                cfg.file
+              );
+
+
+          allPaths = secretRuntimePaths ++ (mapAttrsToList
+            (n: v: { "${config.home.homeDirectory}/${v.target}" = 1; })
+            config.home.file);
+
+          dupRuntimePaths =
+            attrNames
+              (filterAttrs
+                (n: v: v > 1)
+                (foldAttrs
+                  (acc: v: acc + v)
+                  0
+                  allPaths
+                )
+              );
+
+          dupsStr = concatStringsSep ", " dupRuntimePaths;
+
+          hasActivationLinks = with builtins;
+            filterAttrs (n: v: (length v.lnOnActivation) > 0) cfg.file;
+
+          hasStartupLinks = with builtins;
+            filterAttrs (n: v: (length v.lnOnStartup) > 0) cfg.file;
+        in
+        [
+          ({
+            assertion = cfg.identityPaths != [ ];
+            message = "secret.identityPaths must be set.";
+          })
+          ({
+            assertion = if hasActivationLinks != { } then cfg.activationMount != null else true;
+            message = "Must set homeage.activationMount if using symlinked activation secrets";
+          })
+          ({
+            assertion = if hasStartupLinks != { } then cfg.startupMount != null else false;
+            message = "Must set homeage.startupMount if using symlinked startup secrets";
+          })
+          ({
+            assertion = dupRuntimePaths == [ ];
+            message = "Conflicting managed target files (including secrets): ${dupsStr}";
+          })
+        ];
 
       systemd.user.services = mkServices;
 
+      home.activation.homeageCheck = hm.dag.entryBefore [ "writeBoundary" ]
+        ''
+      '';
+
       homeage = {
         pkg = lib.mkDefault pkgs.age;
         isRage = lib.mkDefault false;
         identityPaths = lib.mkDefault [ ];
         startupMount = lib.mkDefault "/run/user/$UID/secrets";
+        activationMount = lib.mkDefault null;
       };
     }
   ]);