pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 22:24:59 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #135 from Mic92/feat/environment

Browse source 
Support arbitrary environment variables
This commit is contained in:
Jörg Thalheim 2021-11-09 22:45:17 +00:00 committed by GitHub
commit a8cbd0c796
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/sops/default.nix
View file

@ -131,6 +131,13 @@ let
symlinkPath = "/run/secrets-for-users";
};
withEnvironment = sopsCall: if cfg.environment == {} then sopsCall else ''
(
${concatStringsSep "\n" (mapAttrsToList (n: v: " export ${n}='${v}'") cfg.environment)}
${sopsCall}
)
'';
in {
options.sops = {
secrets = mkOption {
@ -179,6 +186,21 @@ in {
description = "What to log";
};
environment = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Environment variables to set before calling sops-install-secrets.
The values are placed in single quotes and not escaped any further to
allow usage of command substitutions for more flexibility. To properly quote
strings with quotes use lib.escapeShellArg.
This will be evaluated twice when using secrets that use neededForUsers but
in a subshell each time so the environment variables don't collide.
'';
};
age = {
keyFile = mkOption {
type = types.nullOr types.path;
@ -256,10 +278,12 @@ in {
}]) cfg.secrets)
);
sops.environment.SOPS_GPG_EXEC = mkIf (cfg.gnupg.home != null) (mkDefault "${pkgs.gnupg}/bin/gpg");
system.activationScripts = {
setupSecretsForUsers = mkIf (secretsForUsers != {}) (stringAfter ([ "specialfs" ] ++ optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets for users...
${optionalString (cfg.gnupg.home != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifestForUsers}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
});
@ -270,7 +294,7 @@ in {
setupSecrets = mkIf (regularSecrets != {}) (stringAfter ([ "specialfs" "users" "groups" ] ++ optional cfg.age.generateKey "generate-age-key") ''
[ -e /run/current-system ] || echo setting up secrets...
${optionalString (cfg.gnupg.home != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${manifest}
${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
'' // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true;
});