nix-config/modules/secrets.nix

{
  lib,
  pkgs,
  inputs,
  config,
  ...
}: let
  inherit
    (lib)
    mapAttrs
    assertMsg
    types
    mkOption
    mdDoc
    mkIf
    literalExpression
    ;
  # If the given expression is a bare set, it will be wrapped in a function,
  # so that the imported file can always be applied to the inputs, similar to
  # how modules can be functions or sets.
  constSet = x:
    if builtins.isAttrs x
    then (_: x)
    else x;

  rageImportEncrypted = assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The rageImportEncrypted extra plugin is not loaded";
    builtins.extraBuiltins.rageImportEncrypted;
  # This "imports" an encrypted .nix.age file
  importEncrypted = path:
    constSet (
      if builtins.pathExists path
      then builtins.extraBuiltins.rageImportEncrypted inputs.self.secretsConfig.masterIdentities path
      else {}
    );
  cfg = config.secrets;
in {
  options.secrets = {
    defineRageBuiltins = mkOption {
      default = true;
      type = types.bool;
      description = mdDoc ''
        Add nix plugins and the extra builtins file to the nix config
        Enabling this host to decrypt secret when deploying
      '';
    };

    secretFiles = mkOption {
      default = {};
      type = types.attrsOf types.path;
      example = literalExpression "{ local = ./secrets.nix.age; }";
      description = mdDoc ''
        Files containg secrets for this host.
        As these will end up in the nix store of the host use this for
        secrets that can be publicly known on the host but should be private
        in the repository
      '';
    };

    secrets = mkOption {
      readOnly = true;
      default =
        mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles;
      description = mdDoc ''
        the secrets decrypted from the secretFiles
      '';
    };
  };
  config = {
    nix.extraOptions = mkIf cfg.defineRageBuiltins ''
            plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
      extra-builtins-file = ${../nix}/extra-builtins.nix
    '';
  };
}
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`{`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`lib,`
			`pkgs,`
			`inputs,`
			`config,`
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`...`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`}: let`
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`inherit`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`(lib)`
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`mapAttrs`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`assertMsg`
			`types`
			`mkOption`
			`mdDoc`
			`mkIf`
			`literalExpression`
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`;`
			`# If the given expression is a bare set, it will be wrapped in a function,`
			`# so that the imported file can always be applied to the inputs, similar to`
			`# how modules can be functions or sets.`
			`constSet = x:`
			`if builtins.isAttrs x`
			`then (_: x)`
			`else x;`
feat: modularize secrets 2023-05-27 07:12:18 +02:00
			`rageImportEncrypted = assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The rageImportEncrypted extra plugin is not loaded";`
			`builtins.extraBuiltins.rageImportEncrypted;`
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`# This "imports" an encrypted .nix.age file`
			`importEncrypted = path:`
			`constSet (`
			`if builtins.pathExists path`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`then builtins.extraBuiltins.rageImportEncrypted inputs.self.secretsConfig.masterIdentities path`
chore: switched to colmena and sane file layout 2023-05-02 15:08:36 +02:00			`else {}`
			`);`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`cfg = config.secrets;`
			`in {`
			`options.secrets = {`
			`defineRageBuiltins = mkOption {`
			`default = true;`
			`type = types.bool;`
			`description = mdDoc ''`
			`Add nix plugins and the extra builtins file to the nix config`
			`Enabling this host to decrypt secret when deploying`
			`'';`
			`};`

			`secretFiles = mkOption {`
			`default = {};`
			`type = types.attrsOf types.path;`
			`example = literalExpression "{ local = ./secrets.nix.age; }";`
			`description = mdDoc ''`
			`Files containg secrets for this host.`
			`As these will end up in the nix store of the host use this for`
			`secrets that can be publicly known on the host but should be private`
			`in the repository`
			`'';`
			`};`

			`secrets = mkOption {`
			`readOnly = true;`
			`default =`
			`mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles;`
			`description = mdDoc ''`
			`the secrets decrypted from the secretFiles`
			`'';`
			`};`
			`};`
			`config = {`
			`nix.extraOptions = mkIf cfg.defineRageBuiltins ''`
			`plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins`
chore: added hyprland keybind for suspend 2023-06-03 09:56:08 +02:00			`extra-builtins-file = ${../nix}/extra-builtins.nix`
feat: modularize secrets 2023-05-27 07:12:18 +02:00			`'';`
			`};`
			`}`