patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
nix-config/nix/secrets.nix
Patrick Großmann e8f504bfd8
feat: modularize secrets
2023-05-27 14:12:18 +09:00

75 lines
2 KiB
Nix
Raw Blame History

{
lib,
pkgs,
inputs,
config,
...
}: let
inherit
(lib)
mapAttrs
assertMsg
types
mkOption
mdDoc
mkIf
literalExpression
;
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets.
constSet = x:
if builtins.isAttrs x
then (_: x)
else x;
rageImportEncrypted = assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The rageImportEncrypted extra plugin is not loaded";
builtins.extraBuiltins.rageImportEncrypted;
# This "imports" an encrypted .nix.age file
importEncrypted = path:
constSet (
if builtins.pathExists path
then builtins.extraBuiltins.rageImportEncrypted inputs.self.secretsConfig.masterIdentities path
else {}
);
cfg = config.secrets;
in {
options.secrets = {
defineRageBuiltins = mkOption {
default = true;
type = types.bool;
description = mdDoc ''
Add nix plugins and the extra builtins file to the nix config
Enabling this host to decrypt secret when deploying
'';
};
secretFiles = mkOption {
default = {};
type = types.attrsOf types.path;
example = literalExpression "{ local = ./secrets.nix.age; }";
description = mdDoc ''
Files containg secrets for this host.
As these will end up in the nix store of the host use this for
secrets that can be publicly known on the host but should be private
in the repository
'';
};
secrets = mkOption {
readOnly = true;
default =
mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles;
description = mdDoc ''
the secrets decrypted from the secretFiles
'';
};
};
config = {
nix.extraOptions = mkIf cfg.defineRageBuiltins ''
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
extra-builtins-file = ${./.}/extra-builtins.nix
'';
};
}
Reference in a new issue View git blame Copy permalink