mirror of
https://github.com/Mic92/sops-nix.git
synced 2026-07-17 14:35:25 +08:00
reformat code base with nixfmt
This commit is contained in:
parent
b05bdb2650
commit
6b85086bcc
24 changed files with 1592 additions and 1159 deletions
|
|
@ -1,4 +1,9 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.sops;
|
||||
|
|
@ -7,7 +12,7 @@ let
|
|||
inherit cfg;
|
||||
inherit (pkgs) writeTextFile;
|
||||
};
|
||||
manifest = manifestFor "" regularSecrets regularTemplates {};
|
||||
manifest = manifestFor "" regularSecrets regularTemplates { };
|
||||
|
||||
# Currently, all templates are "regular" (there's no support for `neededForUsers` for templates.)
|
||||
regularTemplates = cfg.templates;
|
||||
|
|
@ -25,138 +30,165 @@ let
|
|||
withEnvironment = import ./with-environment.nix {
|
||||
inherit cfg lib;
|
||||
};
|
||||
secretType = lib.types.submodule ({ config, ... }: {
|
||||
config = {
|
||||
sopsFile = lib.mkOptionDefault cfg.defaultSopsFile;
|
||||
sopsFileHash = lib.mkOptionDefault (lib.optionalString cfg.validateSopsFiles "${builtins.hashFile "sha256" config.sopsFile}");
|
||||
};
|
||||
options = {
|
||||
name = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = config._module.args.name;
|
||||
description = ''
|
||||
Name of the file used in /run/secrets
|
||||
'';
|
||||
secretType = lib.types.submodule (
|
||||
{ config, ... }:
|
||||
{
|
||||
config = {
|
||||
sopsFile = lib.mkOptionDefault cfg.defaultSopsFile;
|
||||
sopsFileHash = lib.mkOptionDefault (
|
||||
lib.optionalString cfg.validateSopsFiles "${builtins.hashFile "sha256" config.sopsFile}"
|
||||
);
|
||||
};
|
||||
key = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = config._module.args.name;
|
||||
description = ''
|
||||
Key used to lookup in the sops file.
|
||||
No tested data structures are supported right now.
|
||||
This option is ignored if format is binary.
|
||||
'';
|
||||
options = {
|
||||
name = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = config._module.args.name;
|
||||
description = ''
|
||||
Name of the file used in /run/secrets
|
||||
'';
|
||||
};
|
||||
key = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = config._module.args.name;
|
||||
description = ''
|
||||
Key used to lookup in the sops file.
|
||||
No tested data structures are supported right now.
|
||||
This option is ignored if format is binary.
|
||||
'';
|
||||
};
|
||||
path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default =
|
||||
if config.neededForUsers then
|
||||
"/run/secrets-for-users/${config.name}"
|
||||
else
|
||||
"/run/secrets/${config.name}";
|
||||
defaultText = "/run/secrets-for-users/$name when neededForUsers is set, /run/secrets/$name when otherwise.";
|
||||
description = ''
|
||||
Path where secrets are symlinked to.
|
||||
If the default is kept no symlink is created.
|
||||
'';
|
||||
};
|
||||
format = lib.mkOption {
|
||||
type = lib.types.enum [
|
||||
"yaml"
|
||||
"json"
|
||||
"binary"
|
||||
"dotenv"
|
||||
"ini"
|
||||
];
|
||||
default = cfg.defaultSopsFormat;
|
||||
description = ''
|
||||
File format used to decrypt the sops secret.
|
||||
Binary files are written to the target file as is.
|
||||
'';
|
||||
};
|
||||
mode = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "0400";
|
||||
description = ''
|
||||
Permissions mode of the in octal.
|
||||
'';
|
||||
};
|
||||
owner = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = "root";
|
||||
description = ''
|
||||
User of the file. Can only be set if uid is 0.
|
||||
'';
|
||||
};
|
||||
uid = lib.mkOption {
|
||||
type = with lib.types; nullOr int;
|
||||
default = 0;
|
||||
description = ''
|
||||
UID of the file, only applied when owner is null. The UID will be applied even if the corresponding user doesn't exist.
|
||||
'';
|
||||
};
|
||||
group = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = "staff";
|
||||
defaultText = "staff";
|
||||
description = ''
|
||||
Group of the file. Can only be set if gid is 0.
|
||||
'';
|
||||
};
|
||||
gid = lib.mkOption {
|
||||
type = with lib.types; nullOr int;
|
||||
default = 0;
|
||||
description = ''
|
||||
GID of the file, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist.
|
||||
'';
|
||||
};
|
||||
sopsFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
defaultText = lib.literalExpression "\${config.sops.defaultSopsFile}";
|
||||
description = ''
|
||||
Sops file the secret is loaded from.
|
||||
'';
|
||||
};
|
||||
sopsFileHash = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
readOnly = true;
|
||||
description = ''
|
||||
Hash of the sops file.
|
||||
'';
|
||||
};
|
||||
neededForUsers = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
**Warning** This option doesn't have any effect on macOS, as nix-darwin cannot manage user passwords on macOS.
|
||||
This can be used to retrieve user's passwords from sops-nix.
|
||||
Setting this option moves the secret to /run/secrets-for-users and disallows setting owner and group to anything else than root.
|
||||
'';
|
||||
};
|
||||
};
|
||||
path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = if config.neededForUsers then "/run/secrets-for-users/${config.name}" else "/run/secrets/${config.name}";
|
||||
defaultText = "/run/secrets-for-users/$name when neededForUsers is set, /run/secrets/$name when otherwise.";
|
||||
description = ''
|
||||
Path where secrets are symlinked to.
|
||||
If the default is kept no symlink is created.
|
||||
'';
|
||||
};
|
||||
format = lib.mkOption {
|
||||
type = lib.types.enum ["yaml" "json" "binary" "dotenv" "ini"];
|
||||
default = cfg.defaultSopsFormat;
|
||||
description = ''
|
||||
File format used to decrypt the sops secret.
|
||||
Binary files are written to the target file as is.
|
||||
'';
|
||||
};
|
||||
mode = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "0400";
|
||||
description = ''
|
||||
Permissions mode of the in octal.
|
||||
'';
|
||||
};
|
||||
owner = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = "root";
|
||||
description = ''
|
||||
User of the file. Can only be set if uid is 0.
|
||||
'';
|
||||
};
|
||||
uid = lib.mkOption {
|
||||
type = with lib.types; nullOr int;
|
||||
default = 0;
|
||||
description = ''
|
||||
UID of the file, only applied when owner is null. The UID will be applied even if the corresponding user doesn't exist.
|
||||
'';
|
||||
};
|
||||
group = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = "staff";
|
||||
defaultText = "staff";
|
||||
description = ''
|
||||
Group of the file. Can only be set if gid is 0.
|
||||
'';
|
||||
};
|
||||
gid = lib.mkOption {
|
||||
type = with lib.types; nullOr int;
|
||||
default = 0;
|
||||
description = ''
|
||||
GID of the file, only applied when group is null. The GID will be applied even if the corresponding group doesn't exist.
|
||||
'';
|
||||
};
|
||||
sopsFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
defaultText = lib.literalExpression "\${config.sops.defaultSopsFile}";
|
||||
description = ''
|
||||
Sops file the secret is loaded from.
|
||||
'';
|
||||
};
|
||||
sopsFileHash = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
readOnly = true;
|
||||
description = ''
|
||||
Hash of the sops file.
|
||||
'';
|
||||
};
|
||||
neededForUsers = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
**Warning** This option doesn't have any effect on macOS, as nix-darwin cannot manage user passwords on macOS.
|
||||
This can be used to retrieve user's passwords from sops-nix.
|
||||
Setting this option moves the secret to /run/secrets-for-users and disallows setting owner and group to anything else than root.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
||||
);
|
||||
|
||||
darwinSSHKeys = [{
|
||||
type = "rsa";
|
||||
path = "/etc/ssh/ssh_host_rsa_key";
|
||||
} {
|
||||
type = "ed25519";
|
||||
path = "/etc/ssh/ssh_host_ed25519_key";
|
||||
}];
|
||||
darwinSSHKeys = [
|
||||
{
|
||||
type = "rsa";
|
||||
path = "/etc/ssh/ssh_host_rsa_key";
|
||||
}
|
||||
{
|
||||
type = "ed25519";
|
||||
path = "/etc/ssh/ssh_host_ed25519_key";
|
||||
}
|
||||
];
|
||||
|
||||
escapedKeyFile = lib.escapeShellArg cfg.age.keyFile;
|
||||
# Skip ssh keys deployed with sops to avoid a catch 22
|
||||
defaultImportKeys = algo:
|
||||
map (e: e.path) (lib.filter (e: e.type == algo && !(lib.hasPrefix "/run/secrets" e.path)) darwinSSHKeys);
|
||||
defaultImportKeys =
|
||||
algo:
|
||||
map (e: e.path) (
|
||||
lib.filter (e: e.type == algo && !(lib.hasPrefix "/run/secrets" e.path)) darwinSSHKeys
|
||||
);
|
||||
|
||||
installScript = ''
|
||||
${if cfg.age.generateKey then ''
|
||||
if [[ ! -f ${escapedKeyFile} ]]; then
|
||||
echo generating machine-specific age key...
|
||||
mkdir -p $(dirname ${escapedKeyFile})
|
||||
# age-keygen sets 0600 by default, no need to chmod.
|
||||
${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
|
||||
fi
|
||||
'' else ""}
|
||||
${
|
||||
if cfg.age.generateKey then
|
||||
''
|
||||
if [[ ! -f ${escapedKeyFile} ]]; then
|
||||
echo generating machine-specific age key...
|
||||
mkdir -p $(dirname ${escapedKeyFile})
|
||||
# age-keygen sets 0600 by default, no need to chmod.
|
||||
${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
|
||||
fi
|
||||
''
|
||||
else
|
||||
""
|
||||
}
|
||||
echo "Setting up secrets..."
|
||||
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
|
||||
'';
|
||||
|
||||
in {
|
||||
in
|
||||
{
|
||||
options.sops = {
|
||||
secrets = lib.mkOption {
|
||||
type = lib.types.attrsOf secretType;
|
||||
default = {};
|
||||
default = { };
|
||||
description = ''
|
||||
Path where the latest secrets are mounted to.
|
||||
'';
|
||||
|
|
@ -195,14 +227,22 @@ in {
|
|||
};
|
||||
|
||||
log = lib.mkOption {
|
||||
type = lib.types.listOf (lib.types.enum [ "keyImport" "secretChanges" ]);
|
||||
default = [ "keyImport" "secretChanges" ];
|
||||
type = lib.types.listOf (
|
||||
lib.types.enum [
|
||||
"keyImport"
|
||||
"secretChanges"
|
||||
]
|
||||
);
|
||||
default = [
|
||||
"keyImport"
|
||||
"secretChanges"
|
||||
];
|
||||
description = "What to log";
|
||||
};
|
||||
|
||||
environment = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.either lib.types.str lib.types.path);
|
||||
default = {};
|
||||
default = { };
|
||||
description = ''
|
||||
Environment variables to set before calling sops-install-secrets.
|
||||
|
||||
|
|
@ -217,7 +257,7 @@ in {
|
|||
|
||||
package = lib.mkOption {
|
||||
type = lib.types.package;
|
||||
default = (pkgs.callPackage ../.. {}).sops-install-secrets;
|
||||
default = (pkgs.callPackage ../.. { }).sops-install-secrets;
|
||||
defaultText = lib.literalExpression "(pkgs.callPackage ../.. {}).sops-install-secrets";
|
||||
description = ''
|
||||
sops-install-secrets package to use.
|
||||
|
|
@ -227,9 +267,10 @@ in {
|
|||
validationPackage = lib.mkOption {
|
||||
type = lib.types.package;
|
||||
default =
|
||||
if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform
|
||||
then sops-install-secrets
|
||||
else (pkgs.pkgsBuildHost.callPackage ../.. {}).sops-install-secrets;
|
||||
if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then
|
||||
sops-install-secrets
|
||||
else
|
||||
(pkgs.pkgsBuildHost.callPackage ../.. { }).sops-install-secrets;
|
||||
defaultText = lib.literalExpression "config.sops.package";
|
||||
|
||||
description = ''
|
||||
|
|
@ -296,30 +337,46 @@ in {
|
|||
];
|
||||
|
||||
config = lib.mkMerge [
|
||||
(lib.mkIf (cfg.secrets != {}) {
|
||||
assertions = [{
|
||||
assertion = cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [] || cfg.age.keyFile != null || cfg.age.sshKeyPaths != [];
|
||||
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
|
||||
} {
|
||||
assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []);
|
||||
message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set";
|
||||
}] ++ lib.optionals cfg.validateSopsFiles (
|
||||
lib.concatLists (lib.mapAttrsToList (name: secret: [{
|
||||
assertion = builtins.pathExists secret.sopsFile;
|
||||
message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier name}.sopsFile";
|
||||
} {
|
||||
assertion =
|
||||
builtins.isPath secret.sopsFile ||
|
||||
(builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
|
||||
message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
|
||||
} {
|
||||
assertion = secret.uid != null && secret.uid != 0 -> secret.owner == null;
|
||||
message = "In ${secret.name} exactly one of sops.owner and sops.uid must be set";
|
||||
} {
|
||||
assertion = secret.gid != null && secret.gid != 0 -> secret.group == null;
|
||||
message = "In ${secret.name} exactly one of sops.group and sops.gid must be set";
|
||||
}]) cfg.secrets)
|
||||
);
|
||||
(lib.mkIf (cfg.secrets != { }) {
|
||||
assertions =
|
||||
[
|
||||
{
|
||||
assertion =
|
||||
cfg.gnupg.home != null
|
||||
|| cfg.gnupg.sshKeyPaths != [ ]
|
||||
|| cfg.age.keyFile != null
|
||||
|| cfg.age.sshKeyPaths != [ ];
|
||||
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
|
||||
}
|
||||
{
|
||||
assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != [ ]);
|
||||
message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set";
|
||||
}
|
||||
]
|
||||
++ lib.optionals cfg.validateSopsFiles (
|
||||
lib.concatLists (
|
||||
lib.mapAttrsToList (name: secret: [
|
||||
{
|
||||
assertion = builtins.pathExists secret.sopsFile;
|
||||
message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier name}.sopsFile";
|
||||
}
|
||||
{
|
||||
assertion =
|
||||
builtins.isPath secret.sopsFile
|
||||
|| (builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
|
||||
message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
|
||||
}
|
||||
{
|
||||
assertion = secret.uid != null && secret.uid != 0 -> secret.owner == null;
|
||||
message = "In ${secret.name} exactly one of sops.owner and sops.uid must be set";
|
||||
}
|
||||
{
|
||||
assertion = secret.gid != null && secret.gid != 0 -> secret.group == null;
|
||||
message = "In ${secret.name} exactly one of sops.group and sops.gid must be set";
|
||||
}
|
||||
]) cfg.secrets
|
||||
)
|
||||
);
|
||||
|
||||
system.build.sops-nix-manifest = manifest;
|
||||
system.activationScripts = {
|
||||
|
|
@ -336,7 +393,9 @@ in {
|
|||
})
|
||||
|
||||
{
|
||||
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
|
||||
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
|
||||
lib.mkDefault "${pkgs.gnupg}/bin/gpg"
|
||||
);
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,26 +4,31 @@ suffix: secrets: extraJson:
|
|||
|
||||
writeTextFile {
|
||||
name = "manifest${suffix}.json";
|
||||
text = builtins.toJSON ({
|
||||
secrets = builtins.attrValues secrets;
|
||||
# Does this need to be configurable?
|
||||
secretsMountPoint = "/run/secrets.d";
|
||||
symlinkPath = "/run/secrets";
|
||||
keepGenerations = cfg.keepGenerations;
|
||||
gnupgHome = cfg.gnupg.home;
|
||||
sshKeyPaths = cfg.gnupg.sshKeyPaths;
|
||||
ageKeyFile = cfg.age.keyFile;
|
||||
ageSshKeyPaths = cfg.age.sshKeyPaths;
|
||||
useTmpfs = false;
|
||||
templates = cfg.templates;
|
||||
placeholderBySecretName = cfg.placeholder;
|
||||
userMode = false;
|
||||
logging = {
|
||||
keyImport = builtins.elem "keyImport" cfg.log;
|
||||
secretChanges = builtins.elem "secretChanges" cfg.log;
|
||||
};
|
||||
} // extraJson);
|
||||
text = builtins.toJSON (
|
||||
{
|
||||
secrets = builtins.attrValues secrets;
|
||||
# Does this need to be configurable?
|
||||
secretsMountPoint = "/run/secrets.d";
|
||||
symlinkPath = "/run/secrets";
|
||||
keepGenerations = cfg.keepGenerations;
|
||||
gnupgHome = cfg.gnupg.home;
|
||||
sshKeyPaths = cfg.gnupg.sshKeyPaths;
|
||||
ageKeyFile = cfg.age.keyFile;
|
||||
ageSshKeyPaths = cfg.age.sshKeyPaths;
|
||||
useTmpfs = false;
|
||||
templates = cfg.templates;
|
||||
placeholderBySecretName = cfg.placeholder;
|
||||
userMode = false;
|
||||
logging = {
|
||||
keyImport = builtins.elem "keyImport" cfg.log;
|
||||
secretChanges = builtins.elem "secretChanges" cfg.log;
|
||||
};
|
||||
}
|
||||
// extraJson
|
||||
);
|
||||
checkPhase = ''
|
||||
${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} "$out"
|
||||
${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${
|
||||
if cfg.validateSopsFiles then "sopsfile" else "manifest"
|
||||
} "$out"
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,14 @@
|
|||
{ lib, options, config, pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
options,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.sops;
|
||||
secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
|
||||
templatesForUsers = {}; # We do not currently support `neededForUsers` for templates.
|
||||
templatesForUsers = { }; # We do not currently support `neededForUsers` for templates.
|
||||
manifestFor = pkgs.callPackage ../manifest-for.nix {
|
||||
inherit cfg;
|
||||
inherit (pkgs) writeTextFile;
|
||||
|
|
@ -22,16 +28,21 @@ let
|
|||
in
|
||||
{
|
||||
|
||||
assertions = [{
|
||||
assertion = (lib.filterAttrs (_: v: (v.uid != 0 && v.owner != "root") || (v.gid != 0 && v.group != "root")) secretsForUsers) == { };
|
||||
message = "neededForUsers cannot be used for secrets that are not root-owned";
|
||||
}];
|
||||
assertions = [
|
||||
{
|
||||
assertion =
|
||||
(lib.filterAttrs (
|
||||
_: v: (v.uid != 0 && v.owner != "root") || (v.gid != 0 && v.group != "root")
|
||||
) secretsForUsers) == { };
|
||||
message = "neededForUsers cannot be used for secrets that are not root-owned";
|
||||
}
|
||||
];
|
||||
|
||||
system.activationScripts = lib.mkIf (secretsForUsers != []) {
|
||||
system.activationScripts = lib.mkIf (secretsForUsers != [ ]) {
|
||||
postActivation.text = lib.mkAfter installScript;
|
||||
};
|
||||
|
||||
launchd.daemons.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != []) {
|
||||
launchd.daemons.sops-install-secrets-for-users = lib.mkIf (secretsForUsers != [ ]) {
|
||||
command = installScript;
|
||||
serviceConfig = {
|
||||
RunAtLoad = true;
|
||||
|
|
|
|||
|
|
@ -1,87 +1,102 @@
|
|||
{ config, pkgs, lib, options, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
options,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
mkOption
|
||||
mkDefault
|
||||
mapAttrs
|
||||
types
|
||||
;
|
||||
in {
|
||||
;
|
||||
in
|
||||
{
|
||||
options.sops = {
|
||||
templates = mkOption {
|
||||
description = "Templates for secret files";
|
||||
type = types.attrsOf (types.submodule ({ config, ... }: {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = config._module.args.name;
|
||||
description = ''
|
||||
Name of the file used in /run/secrets/rendered
|
||||
'';
|
||||
};
|
||||
path = mkOption {
|
||||
description = "Path where the rendered file will be placed";
|
||||
type = types.singleLineStr;
|
||||
default = "/run/secrets/rendered/${config.name}";
|
||||
};
|
||||
content = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Content of the file
|
||||
'';
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = "0400";
|
||||
description = ''
|
||||
Permissions mode of the rendered secret file in octal.
|
||||
'';
|
||||
};
|
||||
owner = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = "root";
|
||||
description = ''
|
||||
User of the file.
|
||||
'';
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = "staff";
|
||||
defaultText = "staff";
|
||||
description = ''
|
||||
Group of the file. Default on darwin in staff.
|
||||
'';
|
||||
};
|
||||
file = mkOption {
|
||||
type = types.path;
|
||||
default = pkgs.writeText config.name config.content;
|
||||
defaultText = lib.literalExpression ''pkgs.writeText config.name config.content'';
|
||||
example = "./configuration-template.conf";
|
||||
description = ''
|
||||
File used as the template. When this value is specified, `sops.templates.<name>.content` is ignored.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}));
|
||||
type = types.attrsOf (
|
||||
types.submodule (
|
||||
{ config, ... }:
|
||||
{
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = config._module.args.name;
|
||||
description = ''
|
||||
Name of the file used in /run/secrets/rendered
|
||||
'';
|
||||
};
|
||||
path = mkOption {
|
||||
description = "Path where the rendered file will be placed";
|
||||
type = types.singleLineStr;
|
||||
default = "/run/secrets/rendered/${config.name}";
|
||||
};
|
||||
content = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Content of the file
|
||||
'';
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = "0400";
|
||||
description = ''
|
||||
Permissions mode of the rendered secret file in octal.
|
||||
'';
|
||||
};
|
||||
owner = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = "root";
|
||||
description = ''
|
||||
User of the file.
|
||||
'';
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.singleLineStr;
|
||||
default = "staff";
|
||||
defaultText = "staff";
|
||||
description = ''
|
||||
Group of the file. Default on darwin in staff.
|
||||
'';
|
||||
};
|
||||
file = mkOption {
|
||||
type = types.path;
|
||||
default = pkgs.writeText config.name config.content;
|
||||
defaultText = lib.literalExpression ''pkgs.writeText config.name config.content'';
|
||||
example = "./configuration-template.conf";
|
||||
description = ''
|
||||
File used as the template. When this value is specified, `sops.templates.<name>.content` is ignored.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
default = { };
|
||||
};
|
||||
placeholder = mkOption {
|
||||
type = types.attrsOf (types.mkOptionType {
|
||||
name = "coercibleToString";
|
||||
description = "value that can be coerced to string";
|
||||
check = lib.strings.isConvertibleWithToString;
|
||||
merge = lib.mergeEqualOption;
|
||||
});
|
||||
type = types.attrsOf (
|
||||
types.mkOptionType {
|
||||
name = "coercibleToString";
|
||||
description = "value that can be coerced to string";
|
||||
check = lib.strings.isConvertibleWithToString;
|
||||
merge = lib.mergeEqualOption;
|
||||
}
|
||||
);
|
||||
default = { };
|
||||
visible = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.optionalAttrs (options ? sops.secrets)
|
||||
(lib.mkIf (config.sops.templates != { }) {
|
||||
sops.placeholder = mapAttrs
|
||||
(name: _: mkDefault "<SOPS:${builtins.hashString "sha256" name}:PLACEHOLDER>")
|
||||
config.sops.secrets;
|
||||
});
|
||||
config = lib.optionalAttrs (options ? sops.secrets) (
|
||||
lib.mkIf (config.sops.templates != { }) {
|
||||
sops.placeholder = mapAttrs (
|
||||
name: _: mkDefault "<SOPS:${builtins.hashString "sha256" name}:PLACEHOLDER>"
|
||||
) config.sops.secrets;
|
||||
}
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,12 +2,13 @@
|
|||
|
||||
sopsCall:
|
||||
|
||||
if cfg.environment == {} then
|
||||
if cfg.environment == { } then
|
||||
sopsCall
|
||||
else ''
|
||||
(
|
||||
# shellcheck disable=SC2030,SC2031
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: " export ${n}='${v}'") cfg.environment)}
|
||||
${sopsCall}
|
||||
)
|
||||
''
|
||||
else
|
||||
''
|
||||
(
|
||||
# shellcheck disable=SC2030,SC2031
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: " export ${n}='${v}'") cfg.environment)}
|
||||
${sopsCall}
|
||||
)
|
||||
''
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue