rebmit/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
nixos-config/nixos/modules/system/sops-secrets.nix
Lu Wang 79aceaa648
treewide: init flakes
2024-11-28 01:14:34 +08:00

101 lines
2.9 KiB
Nix
Raw Blame History

# Portions of this file are sourced from
# https://github.com/linyinfeng/dotfiles/blob/b618b0fd16fb9c79ab7199ed51c4c0f98a392cea/nixos/modules/sops/terraform-output.nix
{
config,
lib,
self,
...
}:
let
inherit (config.networking) hostName;
globalConfig = config;
opentofuOpts =
{ config, ... }:
{
options.opentofu = {
enable = lib.mkEnableOption "extract secrets from OpenTofu output";
useHostOutput = lib.mkEnableOption "extract from host-specific output";
jqPath = lib.mkOption {
type = lib.types.str;
default =
if config.opentofu.useHostOutput then
".hosts.value.\"${hostName}\".${config.name}"
else
".${config.name}.value";
description = ''
The path used by jq to extract data from the output of OpenTofu.
'';
};
};
config = lib.mkIf config.opentofu.enable {
sopsFile = globalConfig.sops.secretFiles.opentofu;
};
};
secretsFromOutputs = lib.filterAttrs (_: c: c.opentofu.enable) config.sops.secrets;
in
{
options = {
sops = {
secretFiles = {
directory = lib.mkOption {
type = lib.types.path;
description = ''
The directory containing the sops-nix secrets file.
'';
};
get = lib.mkOption {
type = with lib.types; functionTo path;
description = ''
A function used to convert the relative path of
the secret file into an absolute path.
'';
};
host = lib.mkOption {
type = lib.types.path;
description = ''
The path to the manually maintained host secret file.
'';
};
opentofu = lib.mkOption {
type = lib.types.path;
description = ''
The path to the host secret file exported from OpenTofu.
'';
};
};
opentofuTemplate = lib.mkOption {
type = lib.types.lines;
description = ''
The jq filter template for extracting OpenTofu secrets.
'';
};
secrets = lib.mkOption { type = with lib.types; attrsOf (submodule opentofuOpts); };
};
};
config = {
sops = {
age = {
keyFile = "/var/lib/sops.key";
sshKeyPaths = [ ];
};
gnupg.sshKeyPaths = [ ];
opentofuTemplate = ''
{
${
lib.concatMapStringsSep "\n, " (cfg: ''"${cfg.name}": ${cfg.opentofu.jqPath}'') (
lib.attrValues secretsFromOutputs
)
}
}
'';
secretFiles = {
directory = lib.mkDefault "${self}/secrets";
get = p: "${config.sops.secretFiles.directory}/${p}";
host = config.sops.secretFiles.get "hosts/${hostName}.yaml";
opentofu = config.sops.secretFiles.get "hosts/opentofu/${hostName}.yaml";
};
};
};
}
Reference in a new issue View git blame Copy permalink