mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-12-26 14:14:58 +08:00
59 lines
1.8 KiB
Nix
59 lines
1.8 KiB
Nix
{
|
|
writeTextFile,
|
|
cfg,
|
|
lib,
|
|
}:
|
|
|
|
suffix: secrets: templates: extraJson:
|
|
|
|
let
|
|
|
|
failedAssertions = builtins.foldl' (
|
|
acc: secret:
|
|
acc
|
|
++ (lib.optional (!builtins.pathExists secret.sopsFile)
|
|
"Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier secret.name}.sopsFile\n"
|
|
)
|
|
++
|
|
lib.optional
|
|
(
|
|
!builtins.isPath secret.sopsFile
|
|
&& !(builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile)
|
|
)
|
|
"'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false"
|
|
) [ ] (builtins.attrValues secrets);
|
|
|
|
in
|
|
if cfg.validateSopsFiles && failedAssertions != [ ] then
|
|
throw "\nFailed assertions:\n${lib.concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"
|
|
else
|
|
writeTextFile {
|
|
name = "manifest${suffix}.json";
|
|
text = builtins.toJSON (
|
|
{
|
|
secrets = builtins.attrValues secrets;
|
|
templates = builtins.attrValues templates;
|
|
# Does this need to be configurable?
|
|
secretsMountPoint = "/run/secrets.d";
|
|
symlinkPath = "/run/secrets";
|
|
keepGenerations = cfg.keepGenerations;
|
|
gnupgHome = cfg.gnupg.home;
|
|
sshKeyPaths = cfg.gnupg.sshKeyPaths;
|
|
ageKeyFile = cfg.age.keyFile;
|
|
ageSshKeyPaths = cfg.age.sshKeyPaths;
|
|
useTmpfs = cfg.useTmpfs;
|
|
placeholderBySecretName = cfg.placeholder;
|
|
userMode = false;
|
|
logging = {
|
|
keyImport = builtins.elem "keyImport" cfg.log;
|
|
secretChanges = builtins.elem "secretChanges" cfg.log;
|
|
};
|
|
}
|
|
// extraJson
|
|
);
|
|
checkPhase = ''
|
|
${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${
|
|
if cfg.validateSopsFiles then "sopsfile" else "manifest"
|
|
} "$out"
|
|
'';
|
|
}
|