mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-15 17:50:51 +00:00
Code Activity

inline option type and submodule

Browse source
This commit is contained in:
mlatus 2023-03-21 21:23:20 +08:00
parent 8c4ecdc301
commit d93c3bf08e
1 changed files with 62 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
modules/sops/templates/default.nix
View file

@ -5,69 +5,67 @@ with builtins;
let
cfg = config.sops;
secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
coercibleToString = mkOptionType {
name = "coercibleToString";
description = "value that can be coerced to string";
check = strings.isCoercibleToString;
merge = mergeEqualOption;
};
templateType = submodule ({ config, ... }: {
options = {
name = mkOption {
type = str;
default = config._module.args.name;
description = ''
Name of the file used in /run/secrets-rendered
'';
};
path = mkOption {
type = str;
default = "/run/secrets-rendered/${config.name}";
};
content = mkOption {
type = lines;
default = "";
description = ''
Content of the file
'';
};
mode = mkOption {
type = str;
default = "0400";
description = ''
Permissions mode of the rendered secret file in octal.
'';
};
owner = mkOption {
type = str;
default = "root";
description = ''
User of the file.
'';
};
group = mkOption {
type = str;
default = config.users.users.${config.owner}.group;
description = ''
Group of the file.
'';
};
file = mkOption {
type = types.path;
default = pkgs.writeText config.name config.content;
visible = false;
readOnly = true;
};
};
});
in {
options.sops = {
templates = mkOption {
type = attrsOf templateType;
type = attrsOf (submodule ({ config, ... }: {
options = {
name = mkOption {
type = str;
default = config._module.args.name;
description = ''
Name of the file used in /run/secrets-rendered
'';
};
path = mkOption {
type = str;
default = "/run/secrets-rendered/${config.name}";
};
content = mkOption {
type = lines;
default = "";
description = ''
Content of the file
'';
};
mode = mkOption {
type = str;
default = "0400";
description = ''
Permissions mode of the rendered secret file in octal.
'';
};
owner = mkOption {
type = str;
default = "root";
description = ''
User of the file.
'';
};
group = mkOption {
type = str;
default = config.users.users.${config.owner}.group;
description = ''
Group of the file.
'';
};
file = mkOption {
type = types.path;
default = pkgs.writeText config.name config.content;
visible = false;
readOnly = true;
};
};
}));
default = { };
};
placeholder = mkOption {
type = attrsOf coercibleToString;
type = attrsOf (mkOptionType {
name = "coercibleToString";
description = "value that can be coerced to string";
check = strings.isCoercibleToString;
merge = mergeEqualOption;
});
default = { };
visible = false;
};
@ -86,11 +84,13 @@ in {
${concatMapStringsSep "\n" (name:
let
tpl = config.sops.templates.${name};
substitute = pkgs.writers.writePython3 "substitute" { } (readFile ./subs.py);
subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n" (name:
"${toString config.sops.placeholder.${name}} ${
config.sops.secrets.${name}.path
}") (attrNames config.sops.secrets));
substitute = pkgs.writers.writePython3 "substitute" { }
(readFile ./subs.py);
subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n"
(name:
"${toString config.sops.placeholder.${name}} ${
config.sops.secrets.${name}.path
}") (attrNames config.sops.secrets));
in ''
mkdir -p "${dirOf tpl.path}"
(umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})