home-manager
This commit is contained in:
+66
-2
@@ -1,7 +1,6 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
flake-parts-lib,
|
||||
inputs,
|
||||
den,
|
||||
...
|
||||
@@ -17,6 +16,14 @@ in
|
||||
default = [ ];
|
||||
description = "A list of master keys for encrypting secrets.";
|
||||
};
|
||||
homeIdentities = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [
|
||||
"laptop-home"
|
||||
"wawa-wawa-home"
|
||||
];
|
||||
};
|
||||
secretsDir = mkOption {
|
||||
type = types.str;
|
||||
default = null;
|
||||
@@ -39,6 +46,12 @@ in
|
||||
description = "A function that takes the NixOS configuration and returns a NixOS module to apply to the host based on its network configuration.";
|
||||
};
|
||||
};
|
||||
homeManagerModule = {
|
||||
default = mkOption {
|
||||
type = types.functionTo types.attrs;
|
||||
default = identity: { };
|
||||
};
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
@@ -74,6 +87,9 @@ in
|
||||
++ (lib.optionals value.global all_keys)
|
||||
++ cfg.masterKeys
|
||||
);
|
||||
# Descriptive flag: is this secret consumed by a home-manager user?
|
||||
# True when it is global or targets any identity in `homeIdentities`.
|
||||
home = value.global || lib.any (h: lib.elem h cfg.homeIdentities) value.hosts;
|
||||
in
|
||||
{
|
||||
inherit (value)
|
||||
@@ -83,7 +99,7 @@ in
|
||||
global
|
||||
;
|
||||
keys = value.keys or [ ];
|
||||
inherit sopskeys;
|
||||
inherit sopskeys home;
|
||||
}
|
||||
) secrets;
|
||||
|
||||
@@ -130,12 +146,55 @@ in
|
||||
) secret_map
|
||||
)
|
||||
);
|
||||
|
||||
# Home-manager analog of sops_secrets_map. Takes a key identity (e.g.
|
||||
# `laptop-home`) and deliberately omits `neededForUsers`, which the
|
||||
# sops-nix home-manager module does not support (it only matters for
|
||||
# decrypting before system users exist, a NixOS-only concern).
|
||||
home_secrets_map =
|
||||
identity:
|
||||
lib.mkMerge (
|
||||
lib.concatLists (
|
||||
lib.mapAttrsToList (
|
||||
name: value:
|
||||
let
|
||||
hasHost = (lib.elem identity value.hosts) || value.global;
|
||||
isYamlOrJson = value.format == "yaml" || value.format == "json";
|
||||
in
|
||||
(
|
||||
[
|
||||
(
|
||||
if hasHost && !(isYamlOrJson && value.keys != [ ]) then
|
||||
{
|
||||
${name} = {
|
||||
inherit (value) format;
|
||||
sopsFile = inputs.self + "/${cfg.secretsDir}/${name}";
|
||||
};
|
||||
}
|
||||
else
|
||||
{ }
|
||||
)
|
||||
]
|
||||
++ lib.optionals hasHost (
|
||||
lib.map (v: {
|
||||
"${name}-${v}" = {
|
||||
inherit (value) format;
|
||||
sopsFile = inputs.self + "/${cfg.secretsDir}/${name}";
|
||||
key = v;
|
||||
};
|
||||
}) value.keys
|
||||
)
|
||||
)
|
||||
) secret_map
|
||||
)
|
||||
);
|
||||
in
|
||||
{
|
||||
flake.secretsManifest = {
|
||||
secretsDir = cfg.secretsDir;
|
||||
masterKeys = cfg.masterKeys;
|
||||
hosts = lib.mapAttrs (_: keys: { inherit keys; }) per_host_keys;
|
||||
homeIdentities = cfg.homeIdentities;
|
||||
secrets = secret_map;
|
||||
secrets_map = sops_secrets_map;
|
||||
};
|
||||
@@ -151,6 +210,11 @@ in
|
||||
config.sops.secrets = sops_secrets_map config.networking.hostName;
|
||||
};
|
||||
};
|
||||
secrets.homeManagerModule = {
|
||||
default = identity: {
|
||||
config.sops.secrets = home_secrets_map identity;
|
||||
};
|
||||
};
|
||||
perSystem =
|
||||
{ pkgs, self', ... }:
|
||||
let
|
||||
|
||||
Reference in New Issue
Block a user