feat: allow .nix.age files to contain functions or bare attrs

2025-10-11 07:10:39 +02:00 · 2023-03-15 02:29:14 +01:00 · 2023-03-15 02:29:14 +01:00 · 3111408f7d
commit 3111408f7d
parent 5bf0935eb2
6 changed files with 37 additions and 30 deletions
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ all commands using these extra parameters, or permanently add the following the
 2. Run all commands with `--option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix`
   or permantently
-	```nix
+	```toml
 	plugin-files = <copy path from $NIX_PLUGINS>/lib/nix/plugins
 	extra-builtins-file = /path/to/nix-config/nix/extra-builtins.nix
 	```
--- a/hosts/zackbiene/secrets/secrets.nix.age
+++ b/hosts/zackbiene/secrets/secrets.nix.age
@ -1,11 +1,10 @@
 age-encryption.org/v1
-> X25519 i6aU9NyNgN17pez4P33oV7d/HNDirMTDIDvZQiWyD0U
+-> X25519 EudkRJVFdtI3TB5ASrLMijjwz5MDotPpKYivGW0Fflc
-3TgVPXyYypC+b7c17ZoV1ZbASpqzgskJ0OUVtBgxhFk
+d2kCskNAE6wQTnJHWgerEoX6qzk6CIZiq31bPJc2L28
-> piv-p256 xqSe8Q A3kpyhwhqEsSqoVD7SB8VK5dU0ZiOrsOdloF+iviN/mq
+-> piv-p256 xqSe8Q AhO0b/wnxSUyd1F6RRXjwYfO9vgPOn9cpIvANnyYlGVl
-W315d5mn13I4JWpsut801LKgGieKF8NIuJ6TeF4wCtI
+awJWopmJA/rFzZaudoo1AOA9mq3izm2jbfpFrJA/7u0
-> Vzkv-grease u
+-> thOR[X=-grease yu6vjtq
-ScmUF1PthzjmA8USzPlx5s5zcTDMGb2zcniHiOHz/ax4cTDKtnDgr8hI6r/6cKXs
+VinuD5DiV4P9H7Kzmp2gCMfsTZ4t3Ws7L+psnfvo+jWx50YK3ZbLxl47LtJqqLkx
-5EkFcJHCI4nNFSCK8WHIIaGDpWWB6YrkkicVQU9K7QRa57xhVniotpH1rOnbEcFN
+o6W28SqfwSlDdFL/hNYP+FnpuW4UrtJPxmdv6SVncOlHUTvN
-j5M
+--- cAglqtAsQAmUyt3E9LtYB0/YXyd+Z78R1SRc3YuMQWc
--- 4rSnr2uChIZoKOe3DDWFK/3JUUPAst1LDOulv1WN1Ek
+-ºÞ�z¡N�ÛMw°û÷bì�¾|â{|6|
#™á‰ƒ¨b^wBbjñlU‘Œýdxœ »_¡þ?Å•ÑåNÕ{[Å–K ª\˜
 þÊýÔ´‹âW…b^zËrFç<Zh®šp	Ê˜ëöÑ¬zf# & ëÔÏ†Ö\ÑlÝDQÅwé9º#¢ÕS¢ü0ÜF¢A’/NãŽ%Ûßxÿ�™¸uÄl„
--- a/nix/colmena.nix
+++ b/nix/colmena.nix
@ -14,7 +14,7 @@ with nixpkgs.lib; let
  nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts;
  generateColmenaNode = hostName: _: {
    imports = [
-      {
+      ({ config, ... }: {
        # By default, set networking.hostName to the hostName
        networking.hostName = mkDefault hostName;
        # Define global flakes for this system
@ -29,7 +29,7 @@ with nixpkgs.lib; let
        rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub";
        rekey.masterIdentities = [../secrets/yk1-nix-rage.pub];
        rekey.extraEncryptionPubkeys = [../secrets/backup.pub];
-      }
+      })
      (../hosts + "/${hostName}")
      home-manager.nixosModules.default
      #impermanence.nixosModules.default
--- a/nix/extra-builtins.nix
+++ b/nix/extra-builtins.nix
@ -22,7 +22,7 @@
  in
    lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
 in {
-  rageImportDecrypt = identities: nixFile:
+  rageImportEncrypted = identities: nixFile:
    assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
    assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
      exec (["rage" "-d"] ++ (builtins.concatMap (x: ["-i" x]) identities) ++ [nixFile]);
--- a/nix/secrets.nix
+++ b/nix/secrets.nix
@ -17,15 +17,24 @@
  ...
 } @ inputs:
 with nixpkgs.lib; let
-  mergeArray = f: unique (concatLists (mapAttrsToList (_: f) self.nodes));
+  # The identities that are used to decrypt any repository-wide secrets.
-  mergedMasterIdentities = mergeArray (x: x.config.rekey.masterIdentities or []);
+  masterIdentities = [../secrets/yk1-nix-rage.pub];
-  # "Imports" an encrypted .nix.age file
+  # If the given expression is a bare set, it will be wrapped in a function,
  # so that the imported file can always be applied to the inputs, similar to
  # how modules can be functions or sets.
  constSet = x:
    if builtins.isAttrs x
    then (_: x)
    else x;
  # This "imports" an encrypted .nix.age file
  importEncrypted = path:
-    if builtins.pathExists path
+    constSet (
-    then builtins.extraBuiltins.rageImportDecrypt mergedMasterIdentities path
+      if builtins.pathExists path
-    else _: {};
+      then builtins.extraBuiltins.rageImportEncrypted masterIdentities path
      else {}
    );
 in
  (importEncrypted ../secrets/secrets.nix.age inputs)
  // {
-    nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.nodes;
+    nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
  }
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
@ -1,10 +1,9 @@
 age-encryption.org/v1
-> X25519 G4gcvnrT5F96VKuJKWCZnu3FaQl8Mw53cTfAw75HvDo
+-> X25519 vyK4cXkYqS/xic3L1hVfZOm9F2dy41g0k8NtY0S7o0g
-aW5tQryfBWLjGAhxzds0tNgD2Q7+GbC19ev0LTmnAag
+pdm+YdbPD+jg9oRGD1m/bSFwmcI6slqCg8bSSHUgyTg
-> piv-p256 xqSe8Q Ak7W7nWemREYSyuxsCGZq3anjmSBjZXxInYRjyxhlULw
+-> piv-p256 xqSe8Q A7Z8dLqDdsXdeMFUI0yZy7IOH+VovH4bzc2dRkCKQYoE
-a4D3LWlMB8mROXAtHeVtt8WckgBdrRwD0y2hJt9qLKg
+fa0294BZfM4wYXdF1j5BogNpVdgfhnITHIFubQq8G6M
-> \aR-grease 2J>j% 4M/Y^- x1`AZ_,W )YZ/;NT
+-> X-grease YRM7Gw8# 0\&Rw
-pWcsdkCVXg9tB54p3/YcZt8VGpH+5FdZCZM6xFDvXai0AED9V9AKMWK9jOfqCQYN
+SXlWKCRgatc1AAoprriaOmKPrw
-RvhfpOVyL0r8
+--- ybnfcV0t6H0UUl6Oc5z6EYOuLxpeVqh+TcywwgevaFw
--- GYfc2AZAGyiEdSaSfw/BdsMFVQrVCYLM0rDAUtk3k9E
+aú§ŹC	˝‹kz  ´DŹMŢYw˙8ß›ż¬”Ú†Î.ńňúOˇ<ŕq.6Ź±vX( ąß
 Ð[S©÷^}ð*ÞTÏ³.ÍS"ÀÇÝôØH_ ¦zì˜iè”�`}¦,)‰x÷ƒ‹/;á”îÐtüw¢ïÖV‰¿þ