fix: disallow Nix store paths in age.identityPaths option
This commit is contained in:
parent
833f87c8ff
commit
1141c36c26
1 changed files with 11 additions and 4 deletions
|
@ -174,6 +174,15 @@ with lib; let
|
||||||
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
|
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
|
identity = with types;
|
||||||
|
mkOptionType {
|
||||||
|
name = "identity";
|
||||||
|
description = "Path to the identity for age decryption. Usually a path to an SSH key. Must not be a store path, because we do not want private keys to end up in the nix store.";
|
||||||
|
descriptionClass = "noun";
|
||||||
|
check = x: isStringLike x && !isStorePath x;
|
||||||
|
merge = mergeEqualOption;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
|
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
|
||||||
|
@ -216,7 +225,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
identityPaths = mkOption {
|
identityPaths = mkOption {
|
||||||
type = types.listOf types.path;
|
type = types.listOf identity;
|
||||||
default =
|
default =
|
||||||
if (config.services.openssh.enable or false)
|
if (config.services.openssh.enable or false)
|
||||||
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
||||||
|
@ -226,9 +235,7 @@ in {
|
||||||
"/etc/ssh/ssh_host_rsa_key"
|
"/etc/ssh/ssh_host_rsa_key"
|
||||||
]
|
]
|
||||||
else [];
|
else [];
|
||||||
description = ''
|
description = "List of identities: ${identity.description}";
|
||||||
Path to SSH keys to be used as identities in age decryption.
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue