diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/asecret.nix | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/modules/asecret.nix b/modules/asecret.nix new file mode 100644 index 0000000..7c17d99 --- /dev/null +++ b/modules/asecret.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.asecret; + + inherit (lib) mapAttrs' mkOption nameValuePair; + inherit (lib.types) attrsOf enum str submodule; + inherit (pkgs) writeText; + + dispatchType = with pkgs.asecret-lib; { + "hashed-password" = hashedPassword; + "password" = password; + "ssh-key-pair" = ssh-key-pair; + "ssl-certificate" = ssl-certificate; + "wireguard" = wireguard; + }; +in +{ + options.asecret = mkOption { + default = {}; + description = '' + Secrets. These should be used everywhere. + ''; + + example = lib.literalExpression '' + { + mySecret = { + secret.input = { + user = "me"; + mode = "0400"; + restartUnits = [ "myservice.service" ]; + }; + settings.content = "My Secret"; + }; + } + ''; + type = attrsOf (submodule (mod@{ name, options, ... }: { + options = { + mode = mkOption { + description = '' + Mode of the secret file. + ''; + type = str; + default = "0400"; + }; + + owner = mkOption { + description = '' + Linux user owning the secret file. + ''; + type = str; + }; + + group = mkOption { + description = '' + Linux group owning the secret file. + ''; + type = str; + default = options.user.default; + defaultText = "user"; + }; + + type = mkOption { + type = enum (lib.attrNames dispatchType); + description = '' + Type of the secret as a string. + ''; + default = "password"; + }; + + path = mkOption { + type = str; + description = '' + Path where the secret should be located. + ''; + default = name; + }; + + secret = mkOption { + type = config.contracts.secret.provider; + }; + }; + + config = { + inherit (mod.config.secret.input) mode owner group; + secret.output.path = dispatchType.${mod.config.type} mod.config.path; + }; + })); + }; + + meta.buildDocsInSandbox = false; +} |