Merge pull request #169 from ryantm/rm-2-26-identity-storepath

fix: disallow Nix store paths in age.identityPaths option
2023-02-26 13:45:03 -08:00 · 2023-02-26 13:45:03 -08:00 · faf978f7f3
parent 9225d56306 1141c36c26
commit faf978f7f3
1 changed files with 11 additions and 4 deletions
--- a/modules/age.nix
+++ b/modules/age.nix
@ -174,6 +174,15 @@ with lib; let
      symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
    };
  });
+
+  identity = with types;
+    mkOptionType {
+      name = "identity";
+      description = "Path to the identity for age decryption. Usually a path to an SSH key. Must not be a store path, because we do not want private keys to end up in the nix store.";
+      descriptionClass = "noun";
+      check = x: isStringLike x && !isStorePath x;
+      merge = mergeEqualOption;
+    };
 in {
  imports = [
    (mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
@ -216,7 +225,7 @@ in {
      '';
    };
    identityPaths = mkOption {
-      type = types.listOf types.path;
+      type = types.listOf identity;
      default =
        if (config.services.openssh.enable or false)
        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
@ -226,9 +235,7 @@ in {
          "/etc/ssh/ssh_host_rsa_key"
        ]
        else [];
-      description = ''
-        Path to SSH keys to be used as identities in age decryption.
-      '';
+      description = "List of identities: ${identity.description}";
    };
  };