pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 14:14:58 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Refuse age keyfile paths that are in the nix store

Browse source
This commit is contained in:
the-furry-hubofeverything 2024-04-16 17:07:24 -07:00 committed by mergify[bot]
parent 7f49111254
commit 74f03c1a51
3 changed files with 62 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

10
modules/sops/default.nix
View file

@ -10,6 +10,14 @@ let
};
manifest = manifestFor "" regularSecrets {};
pathNotInStore = lib.mkOptionType {
name = "pathNotInStore";
description = "path not in the Nix store";
descriptionClass = "noun";
check = x: !lib.path.hasStorePathPrefix (/. + x);
merge = lib.mergeEqualOption;
};
regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
@ -237,7 +245,7 @@ in {
age = {
keyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
type = lib.types.nullOr pathNotInStore;
default = null;
example = "/var/lib/sops-nix/key.txt";
description = ''