mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-22 23:58:29 +03:00
Merge pull request #30 from cole-h/cond-module
modules/age: build local rage if pkgs.rage is older than 0.5.0
This commit is contained in:
commit
9eb981eeb5
1 changed files with 23 additions and 16 deletions
|
@ -4,7 +4,12 @@ with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.age;
|
cfg = config.age;
|
||||||
rage = pkgs.callPackage ../pkgs/rage.nix {};
|
|
||||||
|
# we need at least rage 0.5.0 to support ssh keys
|
||||||
|
rage =
|
||||||
|
if lib.versionOlder pkgs.rage.version "0.5.0"
|
||||||
|
then pkgs.callPackage ./rage.nix { }
|
||||||
|
else pkgs.rage;
|
||||||
ageBin = "${rage}/bin/rage";
|
ageBin = "${rage}/bin/rage";
|
||||||
|
|
||||||
users = config.users.users;
|
users = config.users.users;
|
||||||
|
@ -21,10 +26,10 @@ let
|
||||||
'';
|
'';
|
||||||
|
|
||||||
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
|
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
|
||||||
installRootOwnedSecrets = builtins.concatStringsSep "\n" (["echo '[agenix] decrypting root secrets...'"] ++ (map installSecret rootOwnedSecrets));
|
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
|
||||||
|
|
||||||
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
|
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
|
||||||
installNonRootSecrets = builtins.concatStringsSep "\n" (["echo '[agenix] decrypting non-root secrets...'"] ++ (map installSecret nonRootSecrets));
|
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
|
||||||
|
|
||||||
secretType = types.submodule ({ config, ... }: {
|
secretType = types.submodule ({ config, ... }: {
|
||||||
options = {
|
options = {
|
||||||
|
@ -71,28 +76,30 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
options.age = {
|
options.age = {
|
||||||
secrets = mkOption {
|
secrets = mkOption {
|
||||||
type = types.attrsOf secretType;
|
type = types.attrsOf secretType;
|
||||||
default = {};
|
default = { };
|
||||||
description = ''
|
description = ''
|
||||||
Attrset of secrets.
|
Attrset of secrets.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sshKeyPaths = mkOption {
|
sshKeyPaths = mkOption {
|
||||||
type = types.listOf types.path;
|
type = types.listOf types.path;
|
||||||
default = if config.services.openssh.enable then
|
default =
|
||||||
|
if config.services.openssh.enable then
|
||||||
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
||||||
else [];
|
else [ ];
|
||||||
description = ''
|
description = ''
|
||||||
Path to SSH keys to be used as identities in age decryption.
|
Path to SSH keys to be used as identities in age decryption.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = mkIf (cfg.secrets != {}) {
|
config = mkIf (cfg.secrets != { }) {
|
||||||
assertions = [{
|
assertions = [{
|
||||||
assertion = cfg.sshKeyPaths != [];
|
assertion = cfg.sshKeyPaths != [ ];
|
||||||
message = "age.sshKeyPaths must be set.";
|
message = "age.sshKeyPaths must be set.";
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue