-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathflake-module.nix
129 lines (127 loc) · 3.88 KB
/
flake-module.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
vaultixFlake:
{
lib,
self,
config,
flake-parts-lib,
...
}:
let
inherit (lib)
mkOption
types
;
in
{
options = {
flake = flake-parts-lib.mkSubmoduleOptions {
vaultix = mkOption {
type = types.submodule (submod: {
options = {
cache = mkOption {
type = types.addCheck types.str (s: (builtins.substring 0 1 s) == ".") // {
description = "path string relative to flake root";
};
default = "./secrets/cache";
defaultText = lib.literalExpression "./secrets/cache";
description = ''
`path str` that relative to flake root, used for storing host public key
re-encrypted secrets.
'';
};
nodes = mkOption {
type = types.lazyAttrsOf types.unspecified;
default = self.nixosConfigurations;
defaultText = lib.literalExpression "self.nixosConfigurations";
description = ''
nixos systems that vaultix to manage.
'';
};
identity = mkOption {
type =
with types;
let
identityPathType = coercedTo path toString str;
in
nullOr identityPathType;
default = null;
example = ./password-encrypted-identity.pub;
description = ''
`Age identity file`.
Able to use yubikey, see <https://github.com/str4d/age-plugin-yubikey>.
Supports age native secrets (recommend protected with passphrase)
'';
};
extraRecipients = mkOption {
type = with types; listOf str;
default = [ ];
example = [
"age1qyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqs3290gq"
];
description = ''
Recipients used for backup. Any of identity of them will able
to decrypt all secrets.
'';
};
app = mkOption {
type = types.lazyAttrsOf (types.lazyAttrsOf types.package);
default = lib.mapAttrs (
system: config':
lib.genAttrs
[
"renc"
"edit"
]
(
app:
import ./apps/${app}.nix {
inherit (submod.config)
nodes
identity
extraRecipients
cache
;
inherit (config'.vaultix) pkgs;
inherit lib;
package = vaultixFlake.packages.${system}.default;
}
)
) config.allSystems;
readOnly = true;
defaultText = "Auto generate by flake module";
description = ''
vaultix apps that auto generate by its flake module.
Run manually with `nix run .#vaultix.app.$system.<app-name>`
'';
};
};
});
default = { };
description = ''
A single-admin secret manage scheme for nixos, with support of templates and
agenix-like secret configuration layout.
'';
};
};
perSystem = flake-parts-lib.mkPerSystemOption (
{
lib,
pkgs,
...
}:
{
options.vaultix = {
pkgs = mkOption {
type = types.unspecified;
default = pkgs;
defaultText = lib.literalExpression "pkgs";
description = ''
pkgs that passed into vaultix apps.
'';
};
};
}
);
};
_file = __curPos.file;
}