dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Add secret support

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-02-22 00:59:57 +00:00
parent ac31486f6b
commit 8c61cea30d
19 changed files with 71 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/_list.nix
View File

@@ -8,5 +8,6 @@
firewall = ./firewall.nix;
server = ./server.nix;
deploy-rs = ./deploy-rs.nix;
secrets = ./secrets.nix;
};
}

2
nixos/modules/deploy-rs.nix
View File

@@ -10,7 +10,7 @@ in
options.my.deploy = with lib.types; {
authorizedKeys = {
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
keyFiles = mkOpt' (listOf str) [ ] "SSH public key files to add to the default deployment user.";
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
};
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";

17
nixos/modules/secrets.nix Normal file
View File

@@ -0,0 +1,17 @@
{ lib, config, secretsPath, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib.my) mkOpt';
cfg = config.my.secrets;
in
{
options.my.secrets = with lib.types; {
key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for.";
files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix.";
};
config.age.secrets = mapAttrs (f: opts: {
file = "${secretsPath}/${f}.age";
} // opts) cfg.files;
}

4
nixos/modules/user.nix
View File

@@ -35,14 +35,12 @@ in
shell =
let shell = cfg.homeConfig.my.shell;
in mkIf (shell != null) (mkDefault' shell);
openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
};
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
# parent attr name) to be the users name, aka `home-manager.users.<name>`
homeConfig = { _module.args.name = lib.mkForce user'.name; };
};
deploy.authorizedKeys = mkDefault user'.openssh.authorizedKeys;
};
# mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with