add option to extend path for generator
This commit is contained in:
Jörg Thalheim
@@ -46,14 +46,36 @@
|
||||
'';
|
||||
};
|
||||
generator = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = ''
|
||||
Script to generate the secret.
|
||||
The script will be called with the following variables:
|
||||
- facts: path to a directory where facts can be stored
|
||||
- secrets: path to a directory where secrets can be stored
|
||||
The script is expected to generate all secrets and facts defined in the module.
|
||||
'';
|
||||
type = lib.types.submodule ({ config, ... }: {
|
||||
options = {
|
||||
path = lib.mkOption {
|
||||
type = lib.types.listOf (lib.types.either lib.types.path lib.types.package);
|
||||
default = [ ];
|
||||
description = ''
|
||||
Extra paths to add to the PATH environment variable when running the generator.
|
||||
'';
|
||||
};
|
||||
script = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = ''
|
||||
Script to generate the secret.
|
||||
The script will be called with the following variables:
|
||||
- facts: path to a directory where facts can be stored
|
||||
- secrets: path to a directory where secrets can be stored
|
||||
The script is expected to generate all secrets and facts defined in the module.
|
||||
'';
|
||||
};
|
||||
finalScript = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
readOnly = true;
|
||||
internal = true;
|
||||
default = ''
|
||||
export PATH="${lib.makeBinPath config.path}"
|
||||
${config.script}
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
secrets =
|
||||
let
|
||||
|
||||
@@ -39,7 +39,7 @@ in
|
||||
trap "rm -rf $facts" EXIT
|
||||
secrets=$(mktemp -d)
|
||||
trap "rm -rf $secrets" EXIT
|
||||
( ${v.generator} )
|
||||
( ${v.generator.finalScript} )
|
||||
|
||||
${lib.concatMapStrings (fact: ''
|
||||
mkdir -p "$CLAN_DIR"/"$(dirname ${fact.path})"
|
||||
|
||||
@@ -32,7 +32,14 @@ in
|
||||
import json
|
||||
import sys
|
||||
from clan_cli.secrets.sops_generate import generate_secrets_from_nix
|
||||
args = json.loads(${builtins.toJSON (builtins.toJSON { machine_name = config.clanCore.machineName; secret_submodules = config.clanCore.secrets; })})
|
||||
args = json.loads(${builtins.toJSON (builtins.toJSON {
|
||||
machine_name = config.clanCore.machineName;
|
||||
secret_submodules = lib.mapAttrs (_name: secret: {
|
||||
secrets = builtins.attrNames secret.secrets;
|
||||
facts = lib.mapAttrs (_: secret: secret.path) secret.facts;
|
||||
generator = secret.generator.finalScript;
|
||||
}) config.clanCore.secrets;
|
||||
})})
|
||||
generate_secrets_from_nix(**args)
|
||||
'';
|
||||
uploadSecrets = pkgs.writeScript "upload-secrets" ''
|
||||
|
||||
@@ -138,9 +138,9 @@ in
|
||||
facts.zerotier-meshname = { };
|
||||
facts.zerotier-network-id = { };
|
||||
secrets.zerotier-identity-secret = { };
|
||||
generator = ''
|
||||
export PATH=${lib.makeBinPath [ config.services.zerotierone.package pkgs.fakeroot ]}
|
||||
${pkgs.python3.interpreter} ${./generate.py} --mode network \
|
||||
generator.path = [ config.services.zerotierone.package pkgs.fakeroot pkgs.python3 ];
|
||||
generator.script = ''
|
||||
python3 ${./generate.py} --mode network \
|
||||
--ip "$facts/zerotier-ip" \
|
||||
--meshname "$facts/zerotier-meshname" \
|
||||
--identity-secret "$secrets/zerotier-identity-secret" \
|
||||
@@ -155,10 +155,9 @@ in
|
||||
facts.zerotier-ip = { };
|
||||
facts.zerotier-meshname = { };
|
||||
secrets.zerotier-identity-secret = { };
|
||||
|
||||
generator = ''
|
||||
export PATH=${lib.makeBinPath [ config.services.zerotierone.package ]}
|
||||
${pkgs.python3.interpreter} ${./generate.py} --mode identity \
|
||||
generator.path = [ config.services.zerotierone.package pkgs.python3 ];
|
||||
generator.script = ''
|
||||
python3 ${./generate.py} --mode identity \
|
||||
--ip "$facts/zerotier-ip" \
|
||||
--meshname "$facts/zerotier-meshname" \
|
||||
--identity-secret "$secrets/zerotier-identity-secret" \
|
||||
|
||||
Reference in New Issue
Block a user