pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 22:24:59 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Support arbitrary environment variables

Browse source 
Should hopefully fix #23
This commit is contained in:
Janne Heß 2021-11-08 11:59:05 +01:00
parent a0d8428a8a
commit 80eb349cc8
No known key found for this signature in database
GPG key ID: 69165158F05265DF
1 changed files with 26 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/sops/default.nix
View file

@ -131,6 +131,13 @@ let
symlinkPath = "/run/secrets-for-users";
};
withEnvironment = sopsCall: if cfg.environment == {} then sopsCall else ''
(
${concatStringsSep "\n" (mapAttrsToList (n: v: " export ${n}='${v}'") cfg.environment)}
${sopsCall}
)
'';
in {
options.sops = {
secrets = mkOption {
@ -179,6 +186,21 @@ in {
description = "What to log";
};
environment = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Environment variables to set before calling sops-install-secrets.
The values are placed in single quotes and not escaped any further to
allow usage of command substitutions for more flexibility. To properly quote
strings with quotes use lib.escapeShellArg.
This will be evaluated twice when using secrets that use neededForUsers but
in a subshell each time so the environment variables don't collide.
'';
};
age = {
keyFile = mkOption {
type = types.nullOr types.path;
@ -256,10 +278,12 @@ in {
}]) cfg.secrets)
);
sops.environment.SOPS_GPG_EXEC = mkIf (cfg.gnupg.home != null) (mkDefault "${pkgs.gnupg}/bin/gpg");
system.activationScripts = {
setupSecretsForUsers = mkIf (secretsForUsers != {}) (stringAfter ([ "specialfs" ] ++ optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets for users...
${optionalString (cfg.gnupg.home != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
});
@ -270,7 +294,7 @@ in {
setupSecrets = mkIf (regularSecrets != {}) (stringAfter ([ "specialfs" "users" "groups" ] ++ optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets...
${optionalString (cfg.gnupg.home != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${manifest}
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
});