mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-03-06 08:37:21 +00:00
27 lines
851 B
Nix
27 lines
851 B
Nix
{ writeTextFile, cfg }:
|
|
|
|
suffix: secrets: extraJson:
|
|
|
|
writeTextFile {
|
|
name = "manifest${suffix}.json";
|
|
text = builtins.toJSON ({
|
|
secrets = builtins.attrValues secrets;
|
|
# Does this need to be configurable?
|
|
secretsMountPoint = "/run/secrets.d";
|
|
symlinkPath = "/run/secrets";
|
|
keepGenerations = cfg.keepGenerations;
|
|
gnupgHome = cfg.gnupg.home;
|
|
sshKeyPaths = cfg.gnupg.sshKeyPaths;
|
|
ageKeyFile = cfg.age.keyFile;
|
|
ageSshKeyPaths = cfg.age.sshKeyPaths;
|
|
useTmpfs = cfg.useTmpfs;
|
|
userMode = false;
|
|
logging = {
|
|
keyImport = builtins.elem "keyImport" cfg.log;
|
|
secretChanges = builtins.elem "secretChanges" cfg.log;
|
|
};
|
|
} // extraJson);
|
|
checkPhase = ''
|
|
${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} "$out"
|
|
'';
|
|
}
|