john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43ae292f39604c30af3f10dc6afb0b67df387219
dendritic/modules/programs/sops.nix
T
John Lancaster 026bf541e1 sops with wrappers
2026-04-20 21:13:31 -05:00

98 lines
2.9 KiB
Nix
Raw Blame History

{ self, inputs, ... }:
let
inputs' = inputs; # save a reference before it's shadowed
in
{
flake-file.inputs = {
# Adding sops-nix to the flake-file inputs causes it to get added to the inputs in flake.nix when it gets generated.
# This also makes the sops-nix module available
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
flake.modules.nixos.mysops = {
imports = [ inputs.sops-nix.nixosModules.sops ];
};
# Define the homeModules that are used by flake-parts
# https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
flake.modules.homeManager.mysops = { config, pkgs, lib, ... }:
let
cfg = config.mysops;
in
{
imports = [
# This import makes the sops config attribute available below
inputs'.sops-nix.homeManagerModules.sops
];
options.mysops = {
hostSecretFile = lib.mkOption {
description = "Path to the secrets file for this host. Used to create the edit-secrets script";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config =
let
my-sops = (inputs.self.wrappers.mySops.apply {
inherit pkgs;
sshKey = config.ssh.identityFile;
}).wrapper;
in
{
home.packages = with pkgs; [
my-sops
(inputs.wrappers.lib.wrapPackage {
binName = "ls-secrets";
inherit pkgs;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
args = [
"-T" "--follow-symlinks"
"${config.xdg.configHome}/sops-nix/secrets"
];
})
(inputs.wrappers.lib.wrapPackage {
binName = "edit-secrets";
inherit pkgs;
package = my-sops;
args = [ cfg.hostSecretFile ];
})
];
# Option definitions for the sops home-manager module:
# https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
sops = {
defaultSopsFile = ../../keys/secrets.yaml;
defaultSopsFormat = "yaml";
age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
};
};
};
flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
sshKey = lib.mkOption {
type = lib.types.str;
description = "String path to the SSH key to use for creating an AGE key at runtime";
};
};
config = {
# binName = "my-sops";
package = config.pkgs.sops;
extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
preHook = ''
AGE_KEY=$(umask 077; mktemp)
ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
'';
flags."--config" = "${../../.sops.yaml}";
postHook = ''
rm "$AGE_KEY"
echo "Removed $AGE_KEY"
'';
};
});
}
Reference in New Issue View Git Blame Copy Permalink