54 lines
1.6 KiB
Nix
54 lines
1.6 KiB
Nix
# This file is intended to be used together with pkgs.nix-plugins,
|
|
# to provide rage decryption as an additional safe builtin.
|
|
#
|
|
# Make sure that nix-plugins is installed by adding the following
|
|
# statement to your configuration.nix:
|
|
#
|
|
# ```nix
|
|
# {
|
|
# nix.extraOptions = ''
|
|
# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
|
# # Please adjust path accordingly, or leave this out and alternativaly
|
|
# # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
|
|
# extra-builtins-file = ./extra-builtins.nix
|
|
# '';
|
|
# }
|
|
# ```
|
|
{ exec, ... }:
|
|
let
|
|
assertMsg = pred: msg: pred || builtins.throw msg;
|
|
hasSuffix =
|
|
suffix: content:
|
|
let
|
|
lenContent = builtins.stringLength content;
|
|
lenSuffix = builtins.stringLength suffix;
|
|
in
|
|
lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
|
|
in
|
|
{
|
|
# Instead of calling rage directly here, we call a wrapper script that will cache the output
|
|
# in a predictable path in /tmp, which allows us to only require the password for each encrypted
|
|
# file once.
|
|
rageImportEncrypted =
|
|
identities: nixFile:
|
|
assert assertMsg (builtins.isPath nixFile)
|
|
"The file to decrypt must be given as a path to prevent impurity.";
|
|
assert assertMsg (hasSuffix ".nix.age" nixFile)
|
|
"The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
|
|
exec (
|
|
[
|
|
./rage-decrypt-and-cache.sh
|
|
nixFile
|
|
]
|
|
++ identities
|
|
);
|
|
# currentSystem
|
|
unsafeCurrentSystem = exec [
|
|
"nix"
|
|
"eval"
|
|
"--impure"
|
|
"--expr"
|
|
"builtins.currentSystem"
|
|
];
|
|
}
|