Add nixos localsecrets module

author: Kjetil Orbekk <kj@orbekk.com> 2021-03-20 17:24:40 -0400
committer: Kjetil Orbekk <kj@orbekk.com> 2021-03-20 18:08:47 -0400
commit: bd0bee6b5cbf1af5698c997b9d856c6a90b6e3d3 (patch)
tree: 7ad3b5fede875565242c1365055951bc31f9e503
parent: 90f50a60452099946f7a6246eeb594fd3618dcbd (diff)
1 files changed, 89 insertions, 3 deletions
diff --git a/flake.nix b/flake.nix
index e4bc02d..d92dda5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,11 +3,97 @@
 
   inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-20.09";
 
-  outputs = { self, nixpkgs }: {
+  outputs = { self, nixpkgs }:
+    let
+      supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
+      forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
+    in {
+    nixosModules.localsecrets =
+      { config, pkgs, lib, ... }:
+      let
+        types = lib.types;
+        cfg = config.localsecrets;
+        keyOpts = {name, ...}: {
+          options = {
+            generate = lib.mkOption {
+              type = types.str;
+            };
+            generatePublic = lib.mkOption {
+              type = types.nullOr types.str;
+            };
 
-    packages.x86_64-linux.hello = nixpkgs.legacyPackages.x86_64-linux.hello;
+            path = lib.mkOption {
+              type = types.str;
+              default = "/var/lib/localsecrets/${name}";
+            };
 
-    defaultPackage.x86_64-linux = self.packages.x86_64-linux.hello;
+            publicPath = lib.mkOption {
+              type = types.str;
+              default = ./. + "/public_keys/${name}";
+            };
+          };
+        };
+      in
+      {
+        options = {
+          localsecrets = {
+            enable = lib.mkEnableOption "Deploy localsecrets";
+            secrets = lib.mkOption {
+              type = types.attrsOf (types.submodule keyOpts);
+              default = [];
+            };
+          };
+        };
+
+        config = {
+          environment.systemPackages = [
+            (
+              pkgs.writeScriptBin "localsecrets" ''
+                echo "Secrets I know about:"
+                ${lib.concatMapStrings (secret: "echo ${secret.path}\n") (lib.attrValues cfg.secrets)}
+              ''
+            )
+          ];
+        };
+      };
+
+    checks = forAllSystems (system: {
+      test =
+        let
+          testing = import (nixpkgs + "/nixos/lib/testing-python.nix") {
+            inherit system;
+          };
+        in
+          testing.makeTest {
+            nodes.client = { ... }: {
+              imports = [ self.nixosModules.localsecrets ];
+              localsecrets.enable = true;
+              localsecrets.secrets.test-secret = {
+                generate = "echo hello";
+                generatePublic = "echo world";
+              };
+            };
+
+            testScript = ''
+              start_all()
+              client.succeed("localsecrets")
+            '';
+          };
+    });
+
+    nixosConfigurations.container =
+      nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          self.nixosModules.localsecrets
+          ({...}:
+            {
+              localsecrets.secrets = [ "my-test-secret" ];
+              boot.isContainer = true;
+            }
+          )
+        ];
+      };
 
   };
 }
author	Kjetil Orbekk <kj@orbekk.com>	2021-03-20 17:24:40 -0400
committer	Kjetil Orbekk <kj@orbekk.com>	2021-03-20 18:08:47 -0400
commit	bd0bee6b5cbf1af5698c997b9d856c6a90b6e3d3 (patch)
tree	7ad3b5fede875565242c1365055951bc31f9e503
parent	90f50a60452099946f7a6246eeb594fd3618dcbd (diff)