diff options
Diffstat (limited to 'flake.nix')
-rw-r--r-- | flake.nix | 67 |
1 files changed, 16 insertions, 51 deletions
@@ -8,54 +8,8 @@ supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ]; forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system); in { - nixosModules.localsecrets = - { config, pkgs, lib, ... }: - let - types = lib.types; - cfg = config.localsecrets; - keyOpts = {name, ...}: { - options = { - generate = lib.mkOption { - type = types.str; - }; - generatePublic = lib.mkOption { - type = types.nullOr types.str; - }; - - path = lib.mkOption { - type = types.str; - default = "/var/lib/localsecrets/${name}"; - }; - - publicPath = lib.mkOption { - type = types.str; - default = ./. + "/public_keys/${name}"; - }; - }; - }; - in - { - options = { - localsecrets = { - enable = lib.mkEnableOption "Deploy localsecrets"; - secrets = lib.mkOption { - type = types.attrsOf (types.submodule keyOpts); - default = []; - }; - }; - }; - config = { - environment.systemPackages = [ - ( - pkgs.writeScriptBin "localsecrets" '' - echo "Secrets I know about:" - ${lib.concatMapStrings (secret: "echo ${secret.path}\n") (lib.attrValues cfg.secrets)} - '' - ) - ]; - }; - }; + nixosModules.localsecrets = import ./modules/localsecrets; checks = forAllSystems (system: { test = @@ -65,18 +19,29 @@ }; in testing.makeTest { - nodes.client = { ... }: { + nodes.client = { pkgs, lib, ... }: { imports = [ self.nixosModules.localsecrets ]; localsecrets.enable = true; localsecrets.secrets.test-secret = { - generate = "echo hello"; - generatePublic = "echo world"; + generator = pkgs.writeScript "test-secret.sh" '' + #! ${pkgs.bash}/bin/bash + PATH=${lib.makeBinPath (with pkgs; [ coreutils ])} + mkdir -p private public + echo hello > private/key.private + echo world > public/key.public + ''; }; }; testScript = '' start_all() - client.succeed("localsecrets") + client.wait_for_unit("multi-user.target") + private = "/var/lib/localsecrets/private/test-secret/key.private" + public = "/var/lib/localsecrets/public/test-secret/key.public" + client.succeed("grep hello {}".format(private)) + client.fail("sudo -u nobody cat {}".format(private)) + client.succeed("grep world {}".format(public)) + client.succeed("sudo -u nobody cat {}".format(public)) ''; }; }); |