blob: 51a4f78be2386d29660e9bf1a113a5526f7c1636 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
{
description = "Manage local secrets for Nix configurations";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-20.09";
outputs = { self, nixpkgs }:
let
supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
in {
nixosModules.localsecrets = import ./modules/localsecrets;
checks = forAllSystems (system: {
test =
let
testing = import (nixpkgs + "/nixos/lib/testing-python.nix") {
inherit system;
};
in
testing.makeTest {
nodes.client = { pkgs, lib, ... }: {
imports = [ self.nixosModules.localsecrets ];
localsecrets.enable = true;
localsecrets.secrets.test-secret = {
generator = pkgs.writeScript "test-secret.sh" ''
#! ${pkgs.bash}/bin/bash
PATH=${lib.makeBinPath (with pkgs; [ coreutils ])}
mkdir -p private public
echo hello > private/key.private
echo world > public/key.public
'';
};
};
testScript = ''
start_all()
client.wait_for_unit("multi-user.target")
private = "/var/lib/localsecrets/private/test-secret/key.private"
public = "/var/lib/localsecrets/public/test-secret/key.public"
client.succeed("grep hello {}".format(private))
client.fail("sudo -u nobody cat {}".format(private))
client.succeed("grep world {}".format(public))
client.succeed("sudo -u nobody cat {}".format(public))
'';
};
});
nixosConfigurations.container =
nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
self.nixosModules.localsecrets
({...}:
{
localsecrets.secrets = [ "my-test-secret" ];
boot.isContainer = true;
}
)
];
};
};
}
|
