From d93c3bf08e140b09fb4e3aaa87d1591b81f72e9a Mon Sep 17 00:00:00 2001 From: mlatus Date: Tue, 21 Mar 2023 21:23:20 +0800 Subject: [PATCH] inline option type and submodule --- modules/sops/templates/default.nix | 124 ++++++++++++++--------------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/modules/sops/templates/default.nix b/modules/sops/templates/default.nix index dd00dd1..6e1eb6a 100644 --- a/modules/sops/templates/default.nix +++ b/modules/sops/templates/default.nix @@ -5,69 +5,67 @@ with builtins; let cfg = config.sops; secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets; - coercibleToString = mkOptionType { - name = "coercibleToString"; - description = "value that can be coerced to string"; - check = strings.isCoercibleToString; - merge = mergeEqualOption; - }; - templateType = submodule ({ config, ... }: { - options = { - name = mkOption { - type = str; - default = config._module.args.name; - description = '' - Name of the file used in /run/secrets-rendered - ''; - }; - path = mkOption { - type = str; - default = "/run/secrets-rendered/${config.name}"; - }; - content = mkOption { - type = lines; - default = ""; - description = '' - Content of the file - ''; - }; - mode = mkOption { - type = str; - default = "0400"; - description = '' - Permissions mode of the rendered secret file in octal. - ''; - }; - owner = mkOption { - type = str; - default = "root"; - description = '' - User of the file. - ''; - }; - group = mkOption { - type = str; - default = config.users.users.${config.owner}.group; - description = '' - Group of the file. - ''; - }; - file = mkOption { - type = types.path; - default = pkgs.writeText config.name config.content; - visible = false; - readOnly = true; - }; - }; - }); in { options.sops = { templates = mkOption { - type = attrsOf templateType; + type = attrsOf (submodule ({ config, ... }: { + options = { + name = mkOption { + type = str; + default = config._module.args.name; + description = '' + Name of the file used in /run/secrets-rendered + ''; + }; + path = mkOption { + type = str; + default = "/run/secrets-rendered/${config.name}"; + }; + content = mkOption { + type = lines; + default = ""; + description = '' + Content of the file + ''; + }; + mode = mkOption { + type = str; + default = "0400"; + description = '' + Permissions mode of the rendered secret file in octal. + ''; + }; + owner = mkOption { + type = str; + default = "root"; + description = '' + User of the file. + ''; + }; + group = mkOption { + type = str; + default = config.users.users.${config.owner}.group; + description = '' + Group of the file. + ''; + }; + file = mkOption { + type = types.path; + default = pkgs.writeText config.name config.content; + visible = false; + readOnly = true; + }; + }; + })); default = { }; }; placeholder = mkOption { - type = attrsOf coercibleToString; + type = attrsOf (mkOptionType { + name = "coercibleToString"; + description = "value that can be coerced to string"; + check = strings.isCoercibleToString; + merge = mergeEqualOption; + }); default = { }; visible = false; }; @@ -86,11 +84,13 @@ in { ${concatMapStringsSep "\n" (name: let tpl = config.sops.templates.${name}; - substitute = pkgs.writers.writePython3 "substitute" { } (readFile ./subs.py); - subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n" (name: - "${toString config.sops.placeholder.${name}} ${ - config.sops.secrets.${name}.path - }") (attrNames config.sops.secrets)); + substitute = pkgs.writers.writePython3 "substitute" { } + (readFile ./subs.py); + subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n" + (name: + "${toString config.sops.placeholder.${name}} ${ + config.sops.secrets.${name}.path + }") (attrNames config.sops.secrets)); in '' mkdir -p "${dirOf tpl.path}" (umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})