feat(dgn-secrets): Add a matches option

This option allows specifying regexes tied to options. When a secret matches a pattern, the the options are applied to it.
2023-10-02 22:48:18 +02:00 · 2023-10-02 22:48:18 +02:00 · 5622bc3748
commit 5622bc3748
parent 18c1fa1ddd
9 changed files with 71 additions and 107 deletions
--- a/modules/dgn-secrets.nix
+++ b/modules/dgn-secrets.nix
@ -1,4 +1,4 @@
-#  Copyright :
+# Copyright :
 #  - Tom Hubrecht <tom.hubrecht@dgnum.eu>      2023
 #
 #  Ce logiciel est un programme informatique servant à déployer des
@ -39,43 +39,40 @@ let

    types;

-  inherit (dgn-lib)
-    getSecrets
-    mkBaseSecrets
-    recursiveFuse;
+  inherit (dgn-lib) getSecrets mkBaseSecrets recursiveFuse;

  cfg = config.dgn-secrets;

-  optionsType = with types; submodule ({ config, ... }: {
-    options = {
-      mode = mkOption {
-        type = str;
-        default = "0400";
-        description = ''
-          Permissions mode of the decrypted secret in a format understood by chmod.
-        '';
-      };
+  optionsType = with types;
+    submodule ({ config, ... }: {
+      options = {
+        mode = mkOption {
+          type = str;
+          default = "0400";
+          description = ''
+            Permissions mode of the decrypted secret in a format understood by chmod.
+          '';
+        };

-      owner = mkOption {
-        type = str;
-        default = "0";
-        description = ''
-          User of the decrypted secret.
-        '';
-      };
+        owner = mkOption {
+          type = str;
+          default = "0";
+          description = ''
+            User of the decrypted secret.
+          '';
+        };

-      group = mkOption {
-        type = str;
-        default = config.users.${config.owner}.group or "0";
-        description = ''
-          Group of the decrypted secret.
-        '';
+        group = mkOption {
+          type = str;
+          default = config.users.${config.owner}.group or "0";
+          description = ''
+            Group of the decrypted secret.
+          '';
+        };
      };
-    };
-  });
-in
+    });

-{
+in {
  options.dgn-secrets = {
    sources = mkOption {
      type = with types; listOf path;
@ -95,18 +92,30 @@ in

    names = mkOption {
      type = with types; listOf str;
-      default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ] cfg.sources;
+      default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ]
+        cfg.sources;
      description = ''
        List of the names of the secrets.
      '';
    };
+
+    matches = mkOption {
+      type = with types; attrsOf optionsType;
+      default = { };
+      description = ''
+        Matches of secret names associated to options.
+      '';
+    };
  };

  config = {
-    age.secrets = recursiveFuse (cfg.options ++ (
-      builtins.map
-        (dir: mkBaseSecrets dir (getSecrets dir))
-        cfg.sources
-    ));
+    dgn-secrets.options = builtins.concatLists (builtins.attrValues
+      (builtins.mapAttrs (pattern: options:
+        builtins.map (secret: { ${secret} = options; })
+        (builtins.filter (secret: builtins.match pattern secret != null)
+          cfg.names)) cfg.matches));
+
+    age.secrets = recursiveFuse (cfg.options
+      ++ (builtins.map (dir: mkBaseSecrets dir (getSecrets dir)) cfg.sources));
  };
 }