35 lines
1.5 KiB
Nix
35 lines
1.5 KiB
Nix
|
# This file is intended to be used together with pkgs.nix-plugins,
|
||
|
|
# to provide rage decryption as an additional safe builtin.
|
||
|
|
#
|
||
|
|
# Make sure that nix-plugins is installed by adding the following
|
||
|
|
# statement to your configuration.nix:
|
||
|
|
#
|
||
|
|
# ```nix
|
||
|
|
# {
|
||
|
|
# nix.extraOptions = ''
|
||
|
|
# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
||
|
|
# # Please adjust path accordingly, or leave this out and alternativaly
|
||
|
|
# # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
|
||
|
|
# extra-builtins-file = ./extra-builtins.nix
|
||
|
|
# '';
|
||
|
|
# }
|
||
|
|
# ```
|
||
|
|
{exec, ...}: let
|
||
|
|
assertMsg = pred: msg: pred || builtins.throw msg;
|
||
|
|
hasSuffix = suffix: content: let
|
||
|
|
lenContent = builtins.stringLength content;
|
||
|
|
lenSuffix = builtins.stringLength suffix;
|
||
|
|
in
|
||
|
|
lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
|
||
|
|
in {
|
||
|
|
# Instead of calling rage directly here, we call a wrapper script that will cache the output
|
||
|
|
# in a predictable path in /tmp, which allows us to only require the password for each encrypted
|
||
|
|
# file once.
|
||
|
|
rageImportEncrypted = identities: nixFile:
|
||
|
|
assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
|
||
|
|
assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
|
||
|
|
exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities);
|
||
|
|
# currentSystem
|
||
|
|
unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"];
|
||
|
|
}
|