Merge pull request #171 from ryantm/revert-169-rm-2-26-identity-storepath

Revert "fix: disallow Nix store paths in age.identityPaths option"
This commit is contained in:
Ryan Mulligan 2023-02-26 15:22:22 -08:00 committed by GitHub
commit 4828951d9d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -174,15 +174,6 @@ with lib; let
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
};
});
identity = with types;
mkOptionType {
name = "identity";
description = "Path to the identity for age decryption. Usually a path to an SSH key. Must not be a store path, because we do not want private keys to end up in the nix store.";
descriptionClass = "noun";
check = x: isStringLike x && !isStorePath x;
merge = mergeEqualOption;
};
in {
imports = [
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
@ -225,7 +216,7 @@ in {
'';
};
identityPaths = mkOption {
type = types.listOf identity;
type = types.listOf types.path;
default =
if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
@ -235,7 +226,9 @@ in {
"/etc/ssh/ssh_host_rsa_key"
]
else [];
description = "List of identities: ${identity.description}";
description = ''
Path to SSH keys to be used as identities in age decryption.
'';
};
};