From 46f5d2d23036b814f4c4d983f37363a77ed3a01b Mon Sep 17 00:00:00 2001 From: Felix Ulonska Date: Thu, 29 Sep 2022 10:35:18 +0200 Subject: [PATCH 1/5] feat(secrets): added flag for common secrets --- nixos-modules/secrets.nix | 80 ++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 38 deletions(-) diff --git a/nixos-modules/secrets.nix b/nixos-modules/secrets.nix index 4784e9f..e18a9c9 100644 --- a/nixos-modules/secrets.nix +++ b/nixos-modules/secrets.nix @@ -1,16 +1,5 @@ { config, lib, pkgs, flake, ... }: with builtins; with lib; -let - sharedDir = "${flake}/secrets"; - hostDir = "${flake}/hosts/${config.system.name}/secrets"; - - commonAssets = findAssets sharedDir; - hostAssets = findAssets hostDir; - allAssets = commonAssets ++ hostAssets; - - findAssets = path: if pathExists path then map (file: removePrefix "${path}/" file) (find "" path) else [ ]; - findAssetSource = name: (if elem name hostAssets then "${hostDir}" else "${sharedDir}") + "/${name}"; -in { options = with types; { basement.enableAgenix = mkOption { @@ -21,40 +10,55 @@ in secrets = mkOption { # type = attrsOf str; }; + useCommonSecrets = mkOption { + type = bool; + default = true; + }; }; - config = { + config = + let + sharedDir = "${flake}/secrets"; + hostDir = "${flake}/hosts/${config.system.name}/secrets"; - secrets = mapListToAttrs - (file: - let - file' = removeSuffix ".age" (unsafeDiscardStringContext file); - in - nameValuePair - file' - ( - if config.basement.enableAgenix && hasSuffix ".age" file - then config.age.secrets.${file'}.path - else findAssetSource file' - ) - ) - allAssets; + commonAssets = mkIf config.basement.useCommonSecrets (findAssets sharedDir); + hostAssets = findAssets hostDir; + allAssets = commonAssets ++ hostAssets; - age = mkIf config.basement.enableAgenix { - identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + findAssets = path: if pathExists path then map (file: removePrefix "${path}/" file) (find "" path) else [ ]; + findAssetSource = name: (if elem name hostAssets then "${hostDir}" else "${sharedDir}") + "/${name}"; + in + { secrets = mapListToAttrs (file: - nameValuePair' - (removeSuffix ".age" file) - { file = findAssetSource file; } + let + file' = removeSuffix ".age" (unsafeDiscardStringContext file); + in + nameValuePair + file' + ( + if config.basement.enableAgenix && hasSuffix ".age" file + then config.age.secrets.${file'}.path + else findAssetSource file' + ) ) - ( - filter - (name: hasSuffix ".age" name) - allAssets - ); - }; + allAssets; - }; + age = mkIf config.basement.enableAgenix { + identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = mapListToAttrs + (file: + nameValuePair' + (removeSuffix ".age" file) + { file = findAssetSource file; } + ) + ( + filter + (name: hasSuffix ".age" name) + allAssets + ); + }; + + }; } From 84b5e74c59f2132b1ca9494715013a1e66e03b0f Mon Sep 17 00:00:00 2001 From: Felix Ulonska Date: Thu, 29 Sep 2022 10:39:21 +0200 Subject: [PATCH 2/5] fix: typo --- nixos-modules/secrets.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos-modules/secrets.nix b/nixos-modules/secrets.nix index e18a9c9..4b5455c 100644 --- a/nixos-modules/secrets.nix +++ b/nixos-modules/secrets.nix @@ -21,9 +21,9 @@ with builtins; with lib; sharedDir = "${flake}/secrets"; hostDir = "${flake}/hosts/${config.system.name}/secrets"; - commonAssets = mkIf config.basement.useCommonSecrets (findAssets sharedDir); + commonAssets = findAssets sharedDir; hostAssets = findAssets hostDir; - allAssets = commonAssets ++ hostAssets; + allAssets = if config.basement.useCommonSecrets commonAssets ++ hostAssets else commonAssets; findAssets = path: if pathExists path then map (file: removePrefix "${path}/" file) (find "" path) else [ ]; findAssetSource = name: (if elem name hostAssets then "${hostDir}" else "${sharedDir}") + "/${name}"; From eb90d4c374214e4e979b53a33a62059a3dcb0660 Mon Sep 17 00:00:00 2001 From: Felix Ulonska Date: Thu, 29 Sep 2022 10:40:34 +0200 Subject: [PATCH 3/5] fix: typo --- nixos-modules/secrets.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos-modules/secrets.nix b/nixos-modules/secrets.nix index 4b5455c..0eceb4d 100644 --- a/nixos-modules/secrets.nix +++ b/nixos-modules/secrets.nix @@ -23,7 +23,7 @@ with builtins; with lib; commonAssets = findAssets sharedDir; hostAssets = findAssets hostDir; - allAssets = if config.basement.useCommonSecrets commonAssets ++ hostAssets else commonAssets; + allAssets = if config.basement.useCommonSecrets then commonAssets ++ hostAssets else commonAssets; findAssets = path: if pathExists path then map (file: removePrefix "${path}/" file) (find "" path) else [ ]; findAssetSource = name: (if elem name hostAssets then "${hostDir}" else "${sharedDir}") + "/${name}"; From efa0ad57aa96e4414cdd2f79da453b34f614e021 Mon Sep 17 00:00:00 2001 From: Felix Ulonska Date: Thu, 29 Sep 2022 10:41:06 +0200 Subject: [PATCH 4/5] fix: name of config for commonSecrets --- nixos-modules/secrets.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos-modules/secrets.nix b/nixos-modules/secrets.nix index 0eceb4d..a291899 100644 --- a/nixos-modules/secrets.nix +++ b/nixos-modules/secrets.nix @@ -10,7 +10,7 @@ with builtins; with lib; secrets = mkOption { # type = attrsOf str; }; - useCommonSecrets = mkOption { + basement.useCommonSecrets = mkOption { type = bool; default = true; }; From 74a44ab46a8344133b118a2b1820eefe4a68af89 Mon Sep 17 00:00:00 2001 From: Felix Ulonska Date: Thu, 29 Sep 2022 10:50:19 +0200 Subject: [PATCH 5/5] fix: now using hostAssets --- nixos-modules/secrets.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos-modules/secrets.nix b/nixos-modules/secrets.nix index a291899..92f20b8 100644 --- a/nixos-modules/secrets.nix +++ b/nixos-modules/secrets.nix @@ -23,7 +23,7 @@ with builtins; with lib; commonAssets = findAssets sharedDir; hostAssets = findAssets hostDir; - allAssets = if config.basement.useCommonSecrets then commonAssets ++ hostAssets else commonAssets; + allAssets = if config.basement.useCommonSecrets then commonAssets ++ hostAssets else hostAssets; findAssets = path: if pathExists path then map (file: removePrefix "${path}/" file) (find "" path) else [ ]; findAssetSource = name: (if elem name hostAssets then "${hostDir}" else "${sharedDir}") + "/${name}";