nixosModule = { config, lib, pkgs, ... }: {
options.secrets = with lib; {
keys = mkOption {
- type = types.listOf types.unspecified;
- default = [];
- description = "Keys to upload to server";
+ type = types.attrsOf (types.submodule {
+ options = {
+ isTemplated = mkOption {
+ type = types.bool;
+ default = true;
+ description = "If the file is a gucci template that needs to be resolved";
+ };
+ isDir = mkOption {
+ type = types.bool;
+ default = false;
+ description = "If the entry is a directory";
+ };
+ group = mkOption {
+ type = types.str;
+ default = "root";
+ description = "Group to associate to the entry";
+ };
+ user = mkOption {
+ type = types.str;
+ default = "root";
+ description = "User to associate to the entry";
+ };
+ permissions = mkOption {
+ type = types.str;
+ default = "0600";
+ description = "Permissions to associate to the entry";
+ };
+ text = mkOption {
+ type = types.str;
+ description = "Content of the entry";
+ };
+ };
+ });
+ default = {};
+ description = "Keys attrs to upload to the server";
+ apply = lib.mapAttrsToList (dest: v: v // { inherit dest; });
};
gpgKeys = mkOption {
type = types.listOf types.path;
location = config.secrets.location;
keys = config.secrets.keys;
empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
- fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
+ fpath = v: "secrets/${v.dest}${lib.optionalString v.isTemplated ".gucci.tpl"}";
dumpKey = v:
- if v.isDir or false then
+ if v.isDir then
''
mkdir -p secrets/${v.dest}
cat >> mods <<EOF
- ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+ ${v.user} ${v.group} ${v.permissions} secrets/${v.dest}
EOF
''
else ''
mkdir -p secrets/$(dirname ${v.dest})
echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
cat >> mods <<EOF
- ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
+ ${v.user} ${v.group} ${v.permissions} ${fpath v}
EOF
'';
secrets = pkgs.runCommand "secrets.tar.enc" {
'';
pathChmodExcl =
let
- dirs = builtins.filter (v: v.isDir or false) keys;
+ dirs = builtins.filter (v: v.isDir) keys;
exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs);
in
lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) ";