Add secret support
This commit is contained in:
@@ -13,6 +13,11 @@
|
||||
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
|
||||
|
||||
my = {
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkqdN5t3UKwrNOOPKlbnG1WYhnkV5H9luAzMotr8SbT";
|
||||
files."test.txt" = {};
|
||||
};
|
||||
|
||||
firewall = {
|
||||
trustedInterfaces = [ "blah" ];
|
||||
nat = {
|
||||
|
||||
@@ -52,6 +52,7 @@ let
|
||||
];
|
||||
|
||||
_module.args = {
|
||||
inherit (cfg) secretsPath;
|
||||
pkgs' = allPkgs;
|
||||
};
|
||||
|
||||
@@ -121,6 +122,7 @@ in
|
||||
|
||||
options = with lib.types; {
|
||||
nixos = {
|
||||
secretsPath = mkOpt' path null "Path to encrypted secret files.";
|
||||
modules = mkOpt' (attrsOf commonOpts.moduleType) { } "NixOS modules to be exported by nixfiles.";
|
||||
systems = mkOpt' (attrsOf (submodule systemOpts)) { } "NixOS systems to be exported by nixfiles.";
|
||||
};
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
environment.sessionVariables = {
|
||||
INSTALL_ROOT = installRoot;
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ];
|
||||
home-manager.users.root = {
|
||||
programs = {
|
||||
starship.settings = {
|
||||
|
||||
@@ -8,5 +8,6 @@
|
||||
firewall = ./firewall.nix;
|
||||
server = ./server.nix;
|
||||
deploy-rs = ./deploy-rs.nix;
|
||||
secrets = ./secrets.nix;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ in
|
||||
options.my.deploy = with lib.types; {
|
||||
authorizedKeys = {
|
||||
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
|
||||
keyFiles = mkOpt' (listOf str) [ ] "SSH public key files to add to the default deployment user.";
|
||||
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
|
||||
};
|
||||
|
||||
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";
|
||||
|
||||
17
nixos/modules/secrets.nix
Normal file
17
nixos/modules/secrets.nix
Normal file
@@ -0,0 +1,17 @@
|
||||
{ lib, config, secretsPath, ... }:
|
||||
let
|
||||
inherit (builtins) mapAttrs;
|
||||
inherit (lib.my) mkOpt';
|
||||
|
||||
cfg = config.my.secrets;
|
||||
in
|
||||
{
|
||||
options.my.secrets = with lib.types; {
|
||||
key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for.";
|
||||
files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix.";
|
||||
};
|
||||
|
||||
config.age.secrets = mapAttrs (f: opts: {
|
||||
file = "${secretsPath}/${f}.age";
|
||||
} // opts) cfg.files;
|
||||
}
|
||||
@@ -35,14 +35,12 @@ in
|
||||
shell =
|
||||
let shell = cfg.homeConfig.my.shell;
|
||||
in mkIf (shell != null) (mkDefault' shell);
|
||||
openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
|
||||
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
|
||||
};
|
||||
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
|
||||
# parent attr name) to be the users name, aka `home-manager.users.<name>`
|
||||
homeConfig = { _module.args.name = lib.mkForce user'.name; };
|
||||
};
|
||||
|
||||
deploy.authorizedKeys = mkDefault user'.openssh.authorizedKeys;
|
||||
};
|
||||
|
||||
# mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
|
||||
|
||||
Reference in New Issue
Block a user