feature: added support for substituting secrets into files
This commit is contained in:
parent
3a56735779
commit
c69b98e6e7
2 changed files with 44 additions and 0 deletions
|
@ -65,6 +65,12 @@ with lib; let
|
|||
''}
|
||||
'';
|
||||
|
||||
substituteSecret = secretType:
|
||||
builtins.concatStringsSep "\n" (builtins.map (file: ''
|
||||
${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file}
|
||||
'')
|
||||
secretType.substitutions);
|
||||
|
||||
testIdentities =
|
||||
map
|
||||
(path: ''
|
||||
|
@ -91,6 +97,11 @@ with lib; let
|
|||
++ [cleanupAndLink]
|
||||
);
|
||||
|
||||
substituteSecrets = builtins.concatStringsSep "\n" (
|
||||
["echo '[agenix] substituting secrets...'"]
|
||||
++ (map substituteSecret (builtins.attrValues cfg.secrets))
|
||||
);
|
||||
|
||||
secretType = types.submodule ({
|
||||
config,
|
||||
name,
|
||||
|
@ -117,6 +128,14 @@ with lib; let
|
|||
Path where the decrypted secret is installed.
|
||||
'';
|
||||
};
|
||||
substitutions = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
List of files to substitute the secret into.
|
||||
WARNING: It is recommended to set `force = true` for files managed through home-manager.
|
||||
'';
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.str;
|
||||
default = "0400";
|
||||
|
@ -135,6 +154,7 @@ with lib; let
|
|||
text = ''
|
||||
${newGeneration}
|
||||
${installSecrets}
|
||||
${substituteSecrets}
|
||||
exit 0
|
||||
'';
|
||||
};
|
||||
|
|
|
@ -129,6 +129,17 @@ with lib; let
|
|||
++ (map chownSecret (builtins.attrValues cfg.secrets))
|
||||
);
|
||||
|
||||
substituteSecret = secretType:
|
||||
builtins.concatStringsSep "\n" (builtins.map (file: ''
|
||||
${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file}
|
||||
'')
|
||||
secretType.substitutions);
|
||||
|
||||
substituteSecrets = builtins.concatStringsSep "\n" (
|
||||
["echo '[agenix] substituting secrets...'"]
|
||||
++ (map substituteSecret (builtins.attrValues cfg.secrets))
|
||||
);
|
||||
|
||||
secretType = types.submodule ({config, ...}: {
|
||||
options = {
|
||||
name = mkOption {
|
||||
|
@ -155,6 +166,13 @@ with lib; let
|
|||
Path where the decrypted secret is installed.
|
||||
'';
|
||||
};
|
||||
substitutions = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
List of files to substitute the secret into.
|
||||
'';
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.str;
|
||||
default = "0400";
|
||||
|
@ -298,6 +316,12 @@ in {
|
|||
text = "";
|
||||
deps = ["agenixChown"];
|
||||
};
|
||||
|
||||
# Substitute secrets into files.
|
||||
system.activationScripts.agenixSubstitute = {
|
||||
text = substituteSecrets;
|
||||
deps = ["agenix" "etc"];
|
||||
};
|
||||
})
|
||||
(optionalAttrs isDarwin {
|
||||
launchd.daemons.activate-agenix = {
|
||||
|
|
Loading…
Reference in a new issue