1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00

define templates for home-manager

This commit is contained in:
Jörg Thalheim 2024-11-17 11:35:16 +01:00 committed by mergify[bot]
parent eee831aadb
commit a7b8f0feb7
2 changed files with 95 additions and 0 deletions

View file

@ -109,6 +109,10 @@ let
${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifest} ${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd ${manifest}
'')); ''));
in { in {
imports = [
./templates.nix
];
options.sops = { options.sops = {
secrets = lib.mkOption { secrets = lib.mkOption {
type = lib.types.attrsOf secretType; type = lib.types.attrsOf secretType;

View file

@ -0,0 +1,91 @@
{ config, pkgs, lib, options, ... }:
let
inherit (lib)
mkOption
mkDefault
mapAttrs
types
;
in {
options.sops = {
templates = mkOption {
description = "Templates for secret files";
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.singleLineStr;
default = config._module.args.name;
description = ''
Name of the file used in /run/secrets/rendered
'';
};
path = mkOption {
description = "Path where the rendered file will be placed";
type = types.singleLineStr;
# Keep this in sync with `RenderedSubdir` in `pkgs/sops-install-secrets/main.go`
default = "${config.xdg.configHome}/sops-nix/secrets/rendered/${config.name}";
};
content = mkOption {
type = types.lines;
default = "";
description = ''
Content of the file
'';
};
mode = mkOption {
type = types.singleLineStr;
default = "0400";
description = ''
Permissions mode of the rendered secret file in octal.
'';
};
file = mkOption {
type = types.path;
default = pkgs.writeText config.name config.content;
defaultText = lib.literalExpression ''pkgs.writeText config.name config.content'';
example = "./configuration-template.conf";
description = ''
File used as the template. When this value is specified, `sops.templates.<name>.content` is ignored.
'';
};
restartUnits = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "sshd.service" ];
description = ''
Names of units that should be restarted when the rendered template changes.
This works the same way as <xref linkend="opt-systemd.services._name_.restartTriggers" />.
'';
};
reloadUnits = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "sshd.service" ];
description = ''
Names of units that should be reloaded when the rendered template changes.
This works the same way as <xref linkend="opt-systemd.services._name_.reloadTriggers" />.
'';
};
};
}));
default = { };
};
placeholder = mkOption {
type = types.attrsOf (types.mkOptionType {
name = "coercibleToString";
description = "value that can be coerced to string";
check = lib.strings.isConvertibleWithToString;
merge = lib.mergeEqualOption;
});
default = { };
visible = false;
};
};
config = lib.optionalAttrs (options ? sops.secrets)
(lib.mkIf (config.sops.templates != { }) {
sops.placeholder = mapAttrs
(name: _: mkDefault "<SOPS:${builtins.hashString "sha256" name}:PLACEHOLDER>")
config.sops.secrets;
});
}