mirror of
https://github.com/Mic92/sops-nix.git
synced 2024-12-14 11:57:52 +00:00
29 lines
929 B
Nix
29 lines
929 B
Nix
{ writeTextFile, cfg }:
|
|
|
|
suffix: secrets: extraJson:
|
|
|
|
writeTextFile {
|
|
name = "manifest${suffix}.json";
|
|
text = builtins.toJSON ({
|
|
secrets = builtins.attrValues secrets;
|
|
# Does this need to be configurable?
|
|
secretsMountPoint = "/run/secrets.d";
|
|
symlinkPath = "/run/secrets";
|
|
keepGenerations = cfg.keepGenerations;
|
|
gnupgHome = cfg.gnupg.home;
|
|
sshKeyPaths = cfg.gnupg.sshKeyPaths;
|
|
ageKeyFile = cfg.age.keyFile;
|
|
ageSshKeyPaths = cfg.age.sshKeyPaths;
|
|
useTmpfs = cfg.useTmpfs;
|
|
templates = cfg.templates;
|
|
placeholderBySecretName = cfg.placeholder;
|
|
userMode = false;
|
|
logging = {
|
|
keyImport = builtins.elem "keyImport" cfg.log;
|
|
secretChanges = builtins.elem "secretChanges" cfg.log;
|
|
};
|
|
} // extraJson);
|
|
checkPhase = ''
|
|
${cfg.validationPackage}/bin/sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} "$out"
|
|
'';
|
|
}
|