yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

secrets: add settings, generator submodules, improve tests

Browse Source
This commit is contained in:
DavHau
2024-07-02 15:38:24 +07:00
parent 1172acdc04
commit d3f31acc5c
3 changed files with 198 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
nixosModules/clanCore/vars/eval-tests/default.nix
View File

@@ -8,11 +8,8 @@ let
module module
]; ];
}).config; }).config;
in
{ usage_simple = {
single_file_single_prompt =
let
config = eval {
generators.my_secret = { generators.my_secret = {
files.password = { }; files.password = { };
files.username.secret = false; files.username.secret = false;
@@ -24,15 +21,23 @@ in
}; };
in in
{ {
single_file_single_prompt =
let
config = eval usage_simple;
in
{
# files are always secret by default
test_file_secret_by_default = { test_file_secret_by_default = {
expr = config.generators.my_secret.files.password.secret; expr = config.generators.my_secret.files.password.secret;
expected = true; expected = true;
}; };
# secret files must not provide a value
test_secret_value_access_raises_error = { test_secret_value_access_raises_error = {
expr = config.generators.my_secret.files.password.value; expr = config.generators.my_secret.files.password.value;
expectedError.type = "ThrownError"; expectedError.type = "ThrownError";
expectedError.msg = "Cannot access value of secret file"; expectedError.msg = "Cannot access value of secret file";
}; };
# public values must provide a value at eval time
test_public_value_access = { test_public_value_access = {
expr = config.generators.my_secret.files.username ? value; expr = config.generators.my_secret.files.username ? value;
expected = true; expected = true;
@@ -47,4 +52,19 @@ in
expected = true; expected = true;
}; };
}; };
# Ensure that generators.imports works
# This allows importing generators from third party projects without providing
# them access to other settings.
test_generator_modules =
let
generator_module = {
my-generator.files.password = { };
};
config = eval { generators.imports = [ generator_module ]; };
in
{
expr = lib.trace (lib.attrNames config.generators) config.generators ? my-generator;
expected = true;
};
} }

17
nixosModules/clanCore/vars/interface.nix
View File

@@ -2,20 +2,32 @@
let let
inherit (lib) mkOption; inherit (lib) mkOption;
inherit (lib.types) inherit (lib.types)
anything
attrsOf attrsOf
bool bool
enum enum
listOf listOf
str str
submodule submoduleWith
; ;
submodule = module: submoduleWith { modules = [ module ]; };
options = lib.mapAttrs (_: mkOption); options = lib.mapAttrs (_: mkOption);
subOptions = opts: submodule { options = options opts; }; subOptions = opts: submodule { options = options opts; };
in in
{ {
options = options { options = options {
settings = {
description = ''
Settings for the generated variables.
'';
type = submodule {
freeFormType = anything;
imports = [ ./settings.nix ];
};
};
generators = { generators = {
type = attrsOf (subOptions { type = submodule {
freeformType = attrsOf (subOptions {
dependencies = { dependencies = {
description = '' description = ''
A list of other generators that this generator depends on. A list of other generators that this generator depends on.
@@ -102,4 +114,5 @@ in
}); });
}; };
}; };
};
} }

69
nixosModules/clanCore/vars/settings.nix Normal file
View File

@@ -0,0 +1,69 @@
{ lib, ... }:
{
options = {
secretStore = lib.mkOption {
type = lib.types.enum [
"sops"
"password-store"
"vm"
"custom"
];
default = "sops";
description = ''
method to store secret facts
custom can be used to define a custom secret fact store.
'';
};
secretModule = lib.mkOption {
type = lib.types.str;
internal = true;
description = ''
the python import path to the secret module
'';
};
secretUploadDirectory = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
The directory where secrets are uploaded into, This is backend specific.
'';
};
secretPathFunction = lib.mkOption {
type = lib.types.raw;
description = ''
The function to use to generate the path for a secret.
The default function will use the path attribute of the secret.
The function will be called with the secret submodule as an argument.
'';
};
publicStore = lib.mkOption {
type = lib.types.enum [
"in_repo"
"vm"
"custom"
];
default = "in_repo";
description = ''
method to store public facts.
custom can be used to define a custom public fact store.
'';
};
publicModule = lib.mkOption {
type = lib.types.str;
internal = true;
description = ''
the python import path to the public module
'';
};
publicDirectory = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
};
};
}