diff options
| author |  Alexander Foremny <aforemny@posteo.de> | 2025-09-05 23:52:28 +0200 |
|---|---|---|
| committer | Alexander Foremny <aforemny@posteo.de> | 2025-09-05 23:52:28 +0200 |
| commit | 7132c52c038de995eb291070a4cda3eaf975635b (patch) | |
| tree | a8a2a438d03b0761454e11f50ccfe59e7850c87d /providers | |
| parent | adba5f32fdec0ca53937d571cd76f36e66fa6556 (diff) | |
another take on basic contracts
- adds "secret" consumer `nixosModules.userSecret`
- binds secret provider `testing.hardcodedSecret.rootPassword` with
secret consumer `users.users.root.passwordSecret`
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/asecret.nix | 127 |
1 files changed, 0 insertions, 127 deletions
diff --git a/providers/asecret.nix b/providers/asecret.nix deleted file mode 100644 index df7fe20..0000000 --- a/providers/asecret.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.asecret; - - inherit (lib) mapAttrs' mkOption nameValuePair; - inherit (lib.types) attrsOf nullOr str submodule; - inherit (pkgs) writeText; -in -{ - options.asecret = mkOption { - default = {}; - description = '' - A secret. These should only be used in tests. - ''; - - example = lib.literalExpression '' - { - mySecret = { - secret.input = { - user = "me"; - mode = "0400"; - restartUnits = [ "myservice.service" ]; - }; - settings.content = "My Secret"; - }; - } - ''; - type = attrsOf (submodule (mod@{ name, options, ... }: { - options = { - mode = mkOption { - description = '' - Mode of the secret file. - ''; - type = str; - default = "0400"; - }; - - owner = mkOption { - description = '' - Linux user owning the secret file. - ''; - type = str; - }; - - group = mkOption { - description = '' - Linux group owning the secret file. - ''; - type = str; - default = options.user.default; - defaultText = "user"; - }; - - content = mkOption { - type = nullOr str; - description = '' - Content of the secret as a string. - - This will be stored in the nix store and should only be used for testing or maybe in dev. - ''; - default = null; - }; - - source = mkOption { - type = nullOr str; - description = '' - Source of the content of the secret as a path in the nix store. - ''; - default = null; - }; - - path = mkOption { - type = str; - description = '' - Path where the secret should be located. - ''; - default = "/run/hardcodedSecrets/hardcodedSecret_${name}"; - }; - - secrets = mkOption { - type = config.contracts.secrets.provider; - }; - }; - - config = { - inherit (mod.config.secret.input) mode owner group; - secret.output.path = mod.config.path; - }; - })); - }; - - config = { - system.activationScripts = mapAttrs' (n: cfg': - let - source = if cfg'.source != null - then cfg'.source - else writeText "hardcodedSecret_${n}_content" cfg'.content; - in - nameValuePair "hardcodedSecret_${n}" '' - ( - set -e - mkdir -p "$(dirname "${cfg'.path}")" - touch "${cfg'.path}" - chmod ${cfg'.mode} "${cfg'.path}" - chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}" - cp ${source} "${cfg'.path}" - ) || echo "Failed to create hardcoded secret at ${cfg'.path}" - '' - ) cfg; - }; - - # Without `meta.buildDocsInSandbox = false;`, I get: - # - # > error: attribute 'contracts' missing - # > at /nix/store/2gd9yzcfpqqp00vskxlqq4ds48mpgdzv-nixos/modules/testing/hardcodedSecret.nix:81:18: - # > 80| secret = mkOption { - # > 81| type = config.contracts.secret.provider; - # > | ^ - # > 82| }; - # > Cacheable portion of option doc build failed. - # > Usually this means that an option attribute that ends up in documentation (eg `default` or `description`) depends on the restricted module arguments `config` or `pkgs`. - # > - # > Rebuild your configuration with `--show-trace` to find the offending location. Remove the references to restricted arguments (eg by escaping their antiquotations or adding a `defaultText`) or disable the sandboxed build for the failing module by setting `meta.buildDocsInSandbox = false`. - # - # With the line, I don't get the warning but still get the missing 'contracts' attribute error. - meta.buildDocsInSandbox = false; -} |