-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnixos-module.nix
More file actions
88 lines (87 loc) · 3.25 KB
/
Copy pathnixos-module.nix
File metadata and controls
88 lines (87 loc) · 3.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
{ self, ... }:
{
flake.nixosModules.default = self.nixosModules.sopsidy;
flake.nixosModules.sopsidy =
{ lib, config, ... }:
let
inherit (lib) types;
secretTypeModule =
{
options = {
collect = {
script = lib.mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Script that outputs secret.
If multiple configs/hosts define different scripts for the same secret
then the script from the last host in alphabetical order will be used.
Scripts should error out when the secret is inaccessible, which
will prevent editing of the overall sops file.
'';
};
runtimeInputs = lib.mkOption {
# Use functionTo so that secret collection scripts
# are system architecture independent
type = types.functionTo (types.listOf types.package);
# Sops stores a manifest of all secrets in json
# so we store the runtimeInputs function as a functor
# with an outPath so that it can be serialized into json
# and still be used as a function
apply = func: {
__functor = self: func;
outPath = "function (input: pkgs; output: list of runtimeInputs)";
};
default = [ ];
example = lib.literalExpression ''
pkgs: [ pkgs.rbw ]
'';
description = ''
Function that takes a nixpkgs instance and returns a list of
packages to include in $PATH for the script.
Be sure to use the pkgs input, so that the secret collection
script can be run on any system and not just the system that
this config system has been evaluated for.
'';
};
stripTrailingCharacter = lib.mkOption {
type = types.bool;
default = true;
description = ''
Remove typical trailing new line of command output by piping
output of command to `head -c -1` which removes the
last character.
'';
};
};
};
};
in {
imports = [
./plugins/rbw.nix
];
options = {
sops.secretDefaults = lib.mkOption {
type = types.deferredModule;
default = { };
description = ''
Secret module to import for all secrets.
'';
};
sops.secrets = lib.mkOption {
type = types.attrsOf (types.submodule {
imports = [ secretTypeModule config.sops.secretDefaults ];
});
};
sops.hostPubKey = lib.mkOption {
type = types.str;
description = ''
Age public key of the host.
Will be used to encrypt all sops files defined in the host.
Can be found with:
`nix-shell -p ssh-to-age --run 'ssh-keyscan -t ed25519 <server-domain> | tail -n 1 | ssh-to-age'`
'';
};
};
};
}