2023-01-28 20:10:55 +01:00
|
|
|
pkgs: config: (
|
2023-02-07 14:30:39 +01:00
|
|
|
# Derivation to copy the rekeyd secrets for tmp to the nix store
|
|
|
|
|
# Agenix will read them from the store for decryption
|
2023-01-28 20:10:55 +01:00
|
|
|
pkgs.stdenv.mkDerivation rec {
|
|
|
|
|
pname = "host-secrets";
|
|
|
|
|
version = "1";
|
|
|
|
|
description = "Rekeyed secrets for this host";
|
2023-02-07 14:30:39 +01:00
|
|
|
# Set all keys and secrets as input so the derivation gets rebuild if any of them change
|
|
|
|
|
pubKeyStr = config.rekey.pubKey;
|
2023-01-28 20:10:55 +01:00
|
|
|
secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
|
2023-01-28 18:41:31 +01:00
|
|
|
|
2023-01-28 20:10:55 +01:00
|
|
|
dontMakeSourcesWriteable = true;
|
|
|
|
|
dontUnpack = true;
|
|
|
|
|
dontConfigure = true;
|
|
|
|
|
dontBuild = true;
|
2023-01-28 18:41:31 +01:00
|
|
|
|
2023-01-28 20:10:55 +01:00
|
|
|
installPhase = ''
|
2023-02-07 21:37:02 +01:00
|
|
|
cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out \
|
|
|
|
|
|| { echo "Warning Secrets not available. Maybe you forgot to run 'nix run .#rekey' to rekey them?"; exit 1; }
|
2023-01-28 20:10:55 +01:00
|
|
|
'';
|
2023-01-28 18:41:31 +01:00
|
|
|
}
|
|
|
|
|
)
|
