mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 01:30:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

fix: disallow Nix store paths in age.identityPaths option

Browse source
This commit is contained in:
Ryan Mulligan 2023-02-26 08:37:02 -08:00
parent 833f87c8ff
commit 1141c36c26
1 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
modules/age.nix
View file

@ -174,6 +174,15 @@ with lib; let
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;}; symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
}; };
}); });
identity = with types;
mkOptionType {
name = "identity";
description = "Path to the identity for age decryption. Usually a path to an SSH key. Must not be a store path, because we do not want private keys to end up in the nix store.";
descriptionClass = "noun";
check = x: isStringLike x && !isStorePath x;
merge = mergeEqualOption;
};
in { in {
imports = [ imports = [
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"]) (mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
@ -216,7 +225,7 @@ in {
''; '';
}; };
identityPaths = mkOption { identityPaths = mkOption {
type = types.listOf types.path; type = types.listOf identity;
default = default =
if (config.services.openssh.enable or false) if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys) then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
@ -226,9 +235,7 @@ in {
"/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key"
] ]
else []; else [];
description = '' description = "List of identities: ${identity.description}";
Path to SSH keys to be used as identities in age decryption.
'';
}; };
}; };