mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-12-22 23:58:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #30 from cole-h/cond-module

Browse source 
modules/age: build local rage if pkgs.rage is older than 0.5.0
This commit is contained in:
Ryan Mulligan 2021-03-01 14:08:09 -08:00 committed by GitHub
commit 9eb981eeb5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
modules/age.nix
View file

@ -4,7 +4,12 @@ with lib;
let let
cfg = config.age; cfg = config.age;
rage = pkgs.callPackage ../pkgs/rage.nix {};
# we need at least rage 0.5.0 to support ssh keys
rage =
if lib.versionOlder pkgs.rage.version "0.5.0"
then pkgs.callPackage ./rage.nix { }
else pkgs.rage;
ageBin = "${rage}/bin/rage"; ageBin = "${rage}/bin/rage";
users = config.users.users; users = config.users.users;
@ -21,10 +26,10 @@ let
''; '';
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets); rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
installRootOwnedSecrets = builtins.concatStringsSep "\n" (["echo '[agenix] decrypting root secrets...'"] ++ (map installSecret rootOwnedSecrets)); installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets); nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
installNonRootSecrets = builtins.concatStringsSep "\n" (["echo '[agenix] decrypting non-root secrets...'"] ++ (map installSecret nonRootSecrets)); installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
secretType = types.submodule ({ config, ... }: { secretType = types.submodule ({ config, ... }: {
options = { options = {
@ -42,12 +47,12 @@ let
''; '';
}; };
path = mkOption { path = mkOption {
type = types.str; type = types.str;
default = "/run/secrets/${config.name}"; default = "/run/secrets/${config.name}";
description = '' description = ''
Path where the decrypted secret is installed. Path where the decrypted secret is installed.
''; '';
}; };
mode = mkOption { mode = mkOption {
type = types.str; type = types.str;
default = "0400"; default = "0400";
@ -71,28 +76,30 @@ let
}; };
}; };
}); });
in { in
{
options.age = { options.age = {
secrets = mkOption { secrets = mkOption {
type = types.attrsOf secretType; type = types.attrsOf secretType;
default = {}; default = { };
description = '' description = ''
Attrset of secrets. Attrset of secrets.
''; '';
}; };
sshKeyPaths = mkOption { sshKeyPaths = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
default = if config.services.openssh.enable then default =
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys) if config.services.openssh.enable then
else []; map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else [ ];
description = '' description = ''
Path to SSH keys to be used as identities in age decryption. Path to SSH keys to be used as identities in age decryption.
''; '';
}; };
}; };
config = mkIf (cfg.secrets != {}) { config = mkIf (cfg.secrets != { }) {
assertions = [{ assertions = [{
assertion = cfg.sshKeyPaths != []; assertion = cfg.sshKeyPaths != [ ];
message = "age.sshKeyPaths must be set."; message = "age.sshKeyPaths must be set.";
}]; }];