diff options
author | Kjetil Orbekk <kj@orbekk.com> | 2021-03-20 17:24:40 -0400 |
---|---|---|
committer | Kjetil Orbekk <kj@orbekk.com> | 2021-03-20 18:08:47 -0400 |
commit | bd0bee6b5cbf1af5698c997b9d856c6a90b6e3d3 (patch) | |
tree | 7ad3b5fede875565242c1365055951bc31f9e503 | |
parent | 90f50a60452099946f7a6246eeb594fd3618dcbd (diff) |
Add nixos localsecrets module
-rw-r--r-- | flake.nix | 92 |
1 files changed, 89 insertions, 3 deletions
@@ -3,11 +3,97 @@ inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-20.09"; - outputs = { self, nixpkgs }: { + outputs = { self, nixpkgs }: + let + supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ]; + forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system); + in { + nixosModules.localsecrets = + { config, pkgs, lib, ... }: + let + types = lib.types; + cfg = config.localsecrets; + keyOpts = {name, ...}: { + options = { + generate = lib.mkOption { + type = types.str; + }; + generatePublic = lib.mkOption { + type = types.nullOr types.str; + }; - packages.x86_64-linux.hello = nixpkgs.legacyPackages.x86_64-linux.hello; + path = lib.mkOption { + type = types.str; + default = "/var/lib/localsecrets/${name}"; + }; - defaultPackage.x86_64-linux = self.packages.x86_64-linux.hello; + publicPath = lib.mkOption { + type = types.str; + default = ./. + "/public_keys/${name}"; + }; + }; + }; + in + { + options = { + localsecrets = { + enable = lib.mkEnableOption "Deploy localsecrets"; + secrets = lib.mkOption { + type = types.attrsOf (types.submodule keyOpts); + default = []; + }; + }; + }; + + config = { + environment.systemPackages = [ + ( + pkgs.writeScriptBin "localsecrets" '' + echo "Secrets I know about:" + ${lib.concatMapStrings (secret: "echo ${secret.path}\n") (lib.attrValues cfg.secrets)} + '' + ) + ]; + }; + }; + + checks = forAllSystems (system: { + test = + let + testing = import (nixpkgs + "/nixos/lib/testing-python.nix") { + inherit system; + }; + in + testing.makeTest { + nodes.client = { ... }: { + imports = [ self.nixosModules.localsecrets ]; + localsecrets.enable = true; + localsecrets.secrets.test-secret = { + generate = "echo hello"; + generatePublic = "echo world"; + }; + }; + + testScript = '' + start_all() + client.succeed("localsecrets") + ''; + }; + }); + + nixosConfigurations.container = + nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + self.nixosModules.localsecrets + ({...}: + { + localsecrets.secrets = [ "my-test-secret" ]; + boot.isContainer = true; + } + ) + ]; + }; }; } |