forked from mirrors_public/oddlama_nix-config
74 lines
2.6 KiB
Nix
74 lines
2.6 KiB
Nix
{
|
|
config,
|
|
inputs,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
assertMsg
|
|
literalExpression
|
|
mapAttrs
|
|
mkOption
|
|
types
|
|
;
|
|
|
|
# If the given expression is a bare set, it will be wrapped in a function,
|
|
# so that the imported file can always be applied to the inputs, similar to
|
|
# how modules can be functions or sets.
|
|
constSet = x: if builtins.isAttrs x then (_: x) else x;
|
|
|
|
# Try to access the extra builtin we loaded via nix-plugins.
|
|
# Throw an error if that doesn't exist.
|
|
rageImportEncrypted =
|
|
assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted)
|
|
"The extra builtin 'rageImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `./nix/extra-builtins.nix` ?";
|
|
builtins.extraBuiltins.rageImportEncrypted;
|
|
|
|
# This "imports" an encrypted .nix.age file by evaluating the decrypted content.
|
|
importEncrypted =
|
|
path:
|
|
constSet (
|
|
if builtins.pathExists path then
|
|
rageImportEncrypted inputs.self.secretsConfig.masterIdentities path
|
|
else
|
|
{ }
|
|
);
|
|
|
|
cfg = config.repo;
|
|
in
|
|
{
|
|
options.repo = {
|
|
secretFiles = mkOption {
|
|
default = { };
|
|
type = types.attrsOf types.path;
|
|
example = literalExpression "{ local = ./secrets.nix.age; }";
|
|
description = ''
|
|
This file manages the origin for this machine's repository-secrets. Anything that is
|
|
technically not a secret in the classical sense (i.e. that it has to be protected
|
|
after it has been deployed), but something you want to keep secret from the public;
|
|
Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
|
|
on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
|
|
|
|
All of these secrets may (and probably will be) put into the world-readable nix-store
|
|
on the build and target hosts. You'll most likely want to store personally identifiable
|
|
information here, such as:
|
|
- MAC Addreses
|
|
- Static IP addresses
|
|
- Your full name (when configuring your users)
|
|
- Your postal address (when configuring e.g. home-assistant)
|
|
- ...
|
|
|
|
Each path given here must be an age-encrypted .nix file. For each attribute `<name>`,
|
|
the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
|
|
'';
|
|
};
|
|
|
|
secrets = mkOption {
|
|
readOnly = true;
|
|
default = mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles;
|
|
type = types.unspecified;
|
|
description = "Exposes the loaded repo secrets. This option is read-only.";
|
|
};
|
|
};
|
|
}
|