yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

also auto-import group secrets

Browse Source
This commit is contained in:
Jörg Thalheim
2023-09-03 14:55:53 +02:00
parent 2a9be18d31
commit 89cdbdd62a
8 changed files with 54 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
nixosModules/clanCore/secrets/sops.nix
View File

@@ -1,4 +1,25 @@
{ config, lib, pkgs, ... }:
let
secretsDir = config.clanCore.clanDir + "/sops/secrets";
groupsDir = config.clanCore.clanDir + "/sops/groups";
# My symlink is in the nixos module detected as a directory also it works in the repl. Is this because of pure evaluation?
containsSymlink = path:
builtins.pathExists path && (builtins.readFileType path == "directory" || builtins.readFileType path == "symlink");
containsMachine = parent: name: type:
type == "directory" && containsSymlink "${parent}/${name}/machines/${config.clanCore.machineName}";
containsMachineOrGroups = name: type:
(containsMachine secretsDir name type) || lib.any (group: type == "directory" && containsSymlink "${secretsDir}/${name}/groups/${group}") groups;
filterDir = filter: dir:
lib.optionalAttrs (builtins.pathExists dir)
(lib.filterAttrs filter (builtins.readDir dir));
groups = builtins.attrNames (filterDir (containsMachine groupsDir) groupsDir);
secrets = filterDir containsMachineOrGroups secretsDir;
in
{
config = {
system.clan.generateSecrets = pkgs.writeScript "generate-secrets" ''
@@ -43,26 +64,12 @@
fi)
'') "" config.clanCore.secrets}
'';
sops.secrets =
let
secretsDir = config.clanCore.clanDir + "/sops/secrets";
encryptedForThisMachine = name: type:
let
symlink = "${secretsDir}/${name}/machines/${config.clanCore.machineName}";
in
# WTF, nix bug, my symlink is in the nixos module detected as a directory also it works in the repl
type == "directory" && builtins.pathExists symlink && (builtins.readFileType symlink == "directory" || builtins.readFileType symlink == "symlink");
secrets =
if !(builtins.pathExists secretsDir)
then { }
else lib.filterAttrs encryptedForThisMachine (builtins.readDir secretsDir);
in
builtins.mapAttrs
(name: _: {
sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret";
format = "binary";
})
secrets;
sops.secrets = builtins.mapAttrs
(name: _: {
sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret";
format = "binary";
})
secrets;
# To get proper error messages about missing secrets we need a dummy secret file that is always present
sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")));
};