mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-25 11:08:30 +03:00
Code Issues Projects Releases Packages Wiki Activity

feature: added support for substituting secrets into files

Browse source
This commit is contained in:
ElliottSullingeFarrall 2024-09-22 18:05:32 +01:00
parent 3a56735779
commit c69b98e6e7
2 changed files with 44 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
modules/age-home.nix
View file

@ -65,6 +65,12 @@ with lib; let
''} ''}
''; '';
substituteSecret = secretType:
builtins.concatStringsSep "\n" (builtins.map (file: ''
${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file}
'')
secretType.substitutions);
testIdentities = testIdentities =
map map
(path: '' (path: ''
@ -91,6 +97,11 @@ with lib; let
++ [cleanupAndLink] ++ [cleanupAndLink]
); );
substituteSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] substituting secrets...'"]
++ (map substituteSecret (builtins.attrValues cfg.secrets))
);
secretType = types.submodule ({ secretType = types.submodule ({
config, config,
name, name,
@ -117,6 +128,14 @@ with lib; let
Path where the decrypted secret is installed. Path where the decrypted secret is installed.
''; '';
}; };
substitutions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of files to substitute the secret into.
WARNING: It is recommended to set `force = true` for files managed through home-manager.
'';
};
mode = mkOption { mode = mkOption {
type = types.str; type = types.str;
default = "0400"; default = "0400";
@ -135,6 +154,7 @@ with lib; let
text = '' text = ''
${newGeneration} ${newGeneration}
${installSecrets} ${installSecrets}
${substituteSecrets}
exit 0 exit 0
''; '';
}; };

24
modules/age.nix
View file

@ -129,6 +129,17 @@ with lib; let
++ (map chownSecret (builtins.attrValues cfg.secrets)) ++ (map chownSecret (builtins.attrValues cfg.secrets))
); );
substituteSecret = secretType:
builtins.concatStringsSep "\n" (builtins.map (file: ''
${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file}
'')
secretType.substitutions);
substituteSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] substituting secrets...'"]
++ (map substituteSecret (builtins.attrValues cfg.secrets))
);
secretType = types.submodule ({config, ...}: { secretType = types.submodule ({config, ...}: {
options = { options = {
name = mkOption { name = mkOption {
@ -155,6 +166,13 @@ with lib; let
Path where the decrypted secret is installed. Path where the decrypted secret is installed.
''; '';
}; };
substitutions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of files to substitute the secret into.
'';
};
mode = mkOption { mode = mkOption {
type = types.str; type = types.str;
default = "0400"; default = "0400";
@ -298,6 +316,12 @@ in {
text = ""; text = "";
deps = ["agenixChown"]; deps = ["agenixChown"];
}; };
# Substitute secrets into files.
system.activationScripts.agenixSubstitute = {
text = substituteSecrets;
deps = ["agenix" "etc"];
};
}) })
(optionalAttrs isDarwin { (optionalAttrs isDarwin {
launchd.daemons.activate-agenix = { launchd.daemons.activate-agenix = {