blob: d92dda5a1554d6fac3ff2979a056755cb263989f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
{
description = "Manage local secrets for Nix configurations";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-20.09";
outputs = { self, nixpkgs }:
let
supportedSystems = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: f system);
in {
nixosModules.localsecrets =
{ config, pkgs, lib, ... }:
let
types = lib.types;
cfg = config.localsecrets;
keyOpts = {name, ...}: {
options = {
generate = lib.mkOption {
type = types.str;
};
generatePublic = lib.mkOption {
type = types.nullOr types.str;
};
path = lib.mkOption {
type = types.str;
default = "/var/lib/localsecrets/${name}";
};
publicPath = lib.mkOption {
type = types.str;
default = ./. + "/public_keys/${name}";
};
};
};
in
{
options = {
localsecrets = {
enable = lib.mkEnableOption "Deploy localsecrets";
secrets = lib.mkOption {
type = types.attrsOf (types.submodule keyOpts);
default = [];
};
};
};
config = {
environment.systemPackages = [
(
pkgs.writeScriptBin "localsecrets" ''
echo "Secrets I know about:"
${lib.concatMapStrings (secret: "echo ${secret.path}\n") (lib.attrValues cfg.secrets)}
''
)
];
};
};
checks = forAllSystems (system: {
test =
let
testing = import (nixpkgs + "/nixos/lib/testing-python.nix") {
inherit system;
};
in
testing.makeTest {
nodes.client = { ... }: {
imports = [ self.nixosModules.localsecrets ];
localsecrets.enable = true;
localsecrets.secrets.test-secret = {
generate = "echo hello";
generatePublic = "echo world";
};
};
testScript = ''
start_all()
client.succeed("localsecrets")
'';
};
});
nixosConfigurations.container =
nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
self.nixosModules.localsecrets
({...}:
{
localsecrets.secrets = [ "my-test-secret" ];
boot.isContainer = true;
}
)
];
};
};
}
|