{ description = "Manage local secrets for Nix configurations"; inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-20.09"; outputs = { self, nixpkgs }: let supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ]; forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system); in { nixosModules.localsecrets = import ./modules/localsecrets; checks = forAllSystems (system: { test = let testing = import (nixpkgs + "/nixos/lib/testing-python.nix") { inherit system; }; in testing.makeTest { nodes.client = { pkgs, lib, ... }: { imports = [ self.nixosModules.localsecrets ]; localsecrets.enable = true; localsecrets.secrets.test-secret = { generator = pkgs.writeScript "test-secret.sh" '' #! ${pkgs.bash}/bin/bash PATH=${lib.makeBinPath (with pkgs; [ coreutils ])} mkdir -p private public echo hello > private/key.private echo world > public/key.public ''; }; }; testScript = '' start_all() client.wait_for_unit("multi-user.target") private = "/var/lib/localsecrets/private/test-secret/key.private" public = "/var/lib/localsecrets/public/test-secret/key.public" client.succeed("grep hello {}".format(private)) client.fail("sudo -u nobody cat {}".format(private)) client.succeed("grep world {}".format(public)) client.succeed("sudo -u nobody cat {}".format(public)) ''; }; }); nixosConfigurations.container = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ self.nixosModules.localsecrets ({...}: { localsecrets.secrets = [ "my-test-secret" ]; boot.isContainer = true; } ) ]; }; }; }