yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add option to set defaultGroups for secrets

Browse Source
This commit is contained in:
Jörg Thalheim
2024-02-16 17:03:14 +01:00
parent 052f040017
commit 023b9f4257
13 changed files with 84 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nixosModules/clanCore/outputs.nix
View File

@@ -64,7 +64,13 @@
'';
default = pkgs.writers.writeJSON "secrets.json" (lib.mapAttrs
(_name: secret: {
secrets = builtins.attrNames secret.secrets;
secrets = lib.mapAttrsToList
(name: secret: {
inherit name;
} // lib.optionalAttrs (secret ? groups) {
inherit (secret) groups;
})
secret.secrets;
facts = lib.mapAttrs (_: secret: secret.path) secret.facts;
generator = secret.generator.finalScript;
})

8
nixosModules/clanCore/secrets/default.nix
View File

@@ -108,6 +108,14 @@
'';
default = "${config'.clanCore.secretsDirectory}/${config'.clanCore.secretsPrefix}${config.name}";
};
} // lib.optionalAttrs (config'.clanCore.secretStore == "sops") {
groups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = config'.clanCore.sops.defaultGroups;
description = ''
Groups to decrypt the secret for. By default we always use the user's key.
'';
};
};
}));
description = ''

8
nixosModules/clanCore/secrets/sops.nix
View File

@@ -22,6 +22,14 @@ let
secrets = filterDir containsMachineOrGroups secretsDir;
in
{
options = {
clanCore.sops.defaultGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "admins" ];
description = "The default groups to for encryption use when no groups are specified.";
};
};
config = lib.mkIf (config.clanCore.secretStore == "sops") {
clanCore.secretsDirectory = "/run/secrets";
clanCore.secretsPrefix = config.clanCore.machineName + "-";