mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-31 04:14:37 +00:00
Code Activity

improve assertions

Browse source
This commit is contained in:
Naïm Favier 2021-03-03 16:51:28 +01:00
parent cdcb3230be
commit 360bfd77ae
No known key found for this signature in database
GPG key ID: 49B07322580B7EE2
1 changed files with 23 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
modules/sops/default.nix
View file

@ -23,17 +23,14 @@ let
This option is ignored if format is binary. This option is ignored if format is binary.
''; '';
}; };
path = assert assertMsg (builtins.pathExists config.sopsFile) '' path = mkOption {
Cannot find path '${config.sopsFile}' set in 'sops.secrets."${config._module.args.name}".sopsFile' type = types.str;
default = "/run/secrets/${config.name}";
description = ''
Path where secrets are symlinked to.
If the default is kept no symlink is created.
''; '';
mkOption { };
type = types.str;
default = "/run/secrets/${config.name}";
description = ''
Path where secrets are symlinked to.
If the default is kept no symlink is created.
'';
};
format = mkOption { format = mkOption {
type = types.enum ["yaml" "json" "binary"]; type = types.enum ["yaml" "json" "binary"];
default = cfg.defaultSopsFormat; default = cfg.defaultSopsFormat;
@ -64,7 +61,7 @@ let
''; '';
}; };
sopsFile = mkOption { sopsFile = mkOption {
type = types.either types.str types.path; type = types.path;
default = cfg.defaultSopsFile; default = cfg.defaultSopsFile;
description = '' description = ''
Sops file the secret is loaded from. Sops file the secret is loaded from.
@ -72,7 +69,7 @@ let
}; };
}; };
}); });
manifest = builtins.toFile "manifest.json" (builtins.toJSON { manifest = pkgs.writeText "manifest.json" (builtins.toJSON {
secrets = builtins.attrValues cfg.secrets; secrets = builtins.attrValues cfg.secrets;
# Does this need to be configurable? # Does this need to be configurable?
secretsMountPoint = "/run/secrets.d"; secretsMountPoint = "/run/secrets.d";
@ -99,7 +96,7 @@ in {
}; };
defaultSopsFile = mkOption { defaultSopsFile = mkOption {
type = types.either types.str types.path; type = types.path;
description = '' description = ''
Default sops file used for all secrets. Default sops file used for all secrets.
''; '';
@ -144,17 +141,19 @@ in {
}; };
config = mkIf (cfg.secrets != {}) { config = mkIf (cfg.secrets != {}) {
assertions = [{ assertions = [{
assertion = cfg.gnupgHome != null -> cfg.sshKeyPaths == []; assertion = (cfg.gnupgHome == null) != (cfg.sshKeyPaths == []);
message = "Configuration options sops.gnupgHome and sops.sshKeyPaths cannot be set both at the same time"; message = "Exactly one of sops.gnupgHome and sops.sshKeyPaths must be set";
} { }] ++ optionals cfg.validateSopsFiles (
assertion = cfg.gnupgHome == null -> cfg.sshKeyPaths != []; concatLists (mapAttrsToList (name: secret: [{
message = "Either sops.sshKeyPaths and sops.gnupgHome must be set"; assertion = builtins.pathExists secret.sopsFile;
}] ++ map (name: let message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${strings.escapeNixIdentifier name}.sopsFile";
inherit (cfg.secrets.${name}) sopsFile; } {
in { assertion =
assertion = cfg.validateSopsFiles -> builtins.isPath sopsFile; builtins.isPath secret.sopsFile ||
message = "${sopsFile} is not in the nix store. Either add it to the nix store or set `sops.validateSopsFiles` to false"; (builtins.isString secret.sopsFile && hasPrefix builtins.storeDir secret.sopsFile);
}) (builtins.attrNames cfg.secrets); message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
}]) cfg.secrets)
);
system.activationScripts.setup-secrets = let system.activationScripts.setup-secrets = let
sops-install-secrets = (pkgs.callPackage ../.. {}).sops-install-secrets; sops-install-secrets = (pkgs.callPackage ../.. {}).sops-install-secrets;