fix: disallow Nix store paths in age.identityPaths option

This commit is contained in:
Ryan Mulligan 2023-02-26 08:37:02 -08:00
parent 833f87c8ff
commit 1141c36c26

View file

@ -174,6 +174,15 @@ with lib; let
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
};
});
identity = with types;
mkOptionType {
name = "identity";
description = "Path to the identity for age decryption. Usually a path to an SSH key. Must not be a store path, because we do not want private keys to end up in the nix store.";
descriptionClass = "noun";
check = x: isStringLike x && !isStorePath x;
merge = mergeEqualOption;
};
in {
imports = [
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
@ -216,7 +225,7 @@ in {
'';
};
identityPaths = mkOption {
type = types.listOf types.path;
type = types.listOf identity;
default =
if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
@ -226,9 +235,7 @@ in {
"/etc/ssh/ssh_host_rsa_key"
]
else [];
description = ''
Path to SSH keys to be used as identities in age decryption.
'';
description = "List of identities: ${identity.description}";
};
};