aboutsummaryrefslogtreecommitdiff
path: root/flakes/secrets/flake.nix
diff options
context:
space:
mode:
Diffstat (limited to 'flakes/secrets/flake.nix')
-rw-r--r--flakes/secrets/flake.nix49
1 files changed, 41 insertions, 8 deletions
diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix
index 0ee6a40..ef74a30 100644
--- a/flakes/secrets/flake.nix
+++ b/flakes/secrets/flake.nix
@@ -5,9 +5,42 @@
5 nixosModule = { config, lib, pkgs, ... }: { 5 nixosModule = { config, lib, pkgs, ... }: {
6 options.secrets = with lib; { 6 options.secrets = with lib; {
7 keys = mkOption { 7 keys = mkOption {
8 type = types.listOf types.unspecified; 8 type = types.attrsOf (types.submodule {
9 default = []; 9 options = {
10 description = "Keys to upload to server"; 10 isTemplated = mkOption {
11 type = types.bool;
12 default = true;
13 description = "If the file is a gucci template that needs to be resolved";
14 };
15 isDir = mkOption {
16 type = types.bool;
17 default = false;
18 description = "If the entry is a directory";
19 };
20 group = mkOption {
21 type = types.str;
22 default = "root";
23 description = "Group to associate to the entry";
24 };
25 user = mkOption {
26 type = types.str;
27 default = "root";
28 description = "User to associate to the entry";
29 };
30 permissions = mkOption {
31 type = types.str;
32 default = "0600";
33 description = "Permissions to associate to the entry";
34 };
35 text = mkOption {
36 type = types.str;
37 description = "Content of the entry";
38 };
39 };
40 });
41 default = {};
42 description = "Keys attrs to upload to the server";
43 apply = lib.mapAttrsToList (dest: v: v // { inherit dest; });
11 }; 44 };
12 gpgKeys = mkOption { 45 gpgKeys = mkOption {
13 type = types.listOf types.path; 46 type = types.listOf types.path;
@@ -52,20 +85,20 @@
52 location = config.secrets.location; 85 location = config.secrets.location;
53 keys = config.secrets.keys; 86 keys = config.secrets.keys;
54 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; 87 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
55 fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; 88 fpath = v: "secrets/${v.dest}${lib.optionalString v.isTemplated ".gucci.tpl"}";
56 dumpKey = v: 89 dumpKey = v:
57 if v.isDir or false then 90 if v.isDir then
58 '' 91 ''
59 mkdir -p secrets/${v.dest} 92 mkdir -p secrets/${v.dest}
60 cat >> mods <<EOF 93 cat >> mods <<EOF
61 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest} 94 ${v.user} ${v.group} ${v.permissions} secrets/${v.dest}
62 EOF 95 EOF
63 '' 96 ''
64 else '' 97 else ''
65 mkdir -p secrets/$(dirname ${v.dest}) 98 mkdir -p secrets/$(dirname ${v.dest})
66 echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v} 99 echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
67 cat >> mods <<EOF 100 cat >> mods <<EOF
68 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v} 101 ${v.user} ${v.group} ${v.permissions} ${fpath v}
69 EOF 102 EOF
70 ''; 103 '';
71 secrets = pkgs.runCommand "secrets.tar.enc" { 104 secrets = pkgs.runCommand "secrets.tar.enc" {
@@ -88,7 +121,7 @@
88 ''; 121 '';
89 pathChmodExcl = 122 pathChmodExcl =
90 let 123 let
91 dirs = builtins.filter (v: v.isDir or false) keys; 124 dirs = builtins.filter (v: v.isDir) keys;
92 exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs); 125 exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs);
93 in 126 in
94 lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) "; 127 lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) ";
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-05 00:35:35 +0000