nikkuss/sops-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rework

Browse Source
This commit is contained in:
Nikkuss
2026-06-06 00:53:26 +04:00
parent 90eca4e469
commit 9a385176cb
3 changed files with 58 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nix/flakeModule.nix
+48 -35
View File
@@ -16,14 +16,6 @@ in
default = [ ];
description = "A list of master keys for encrypting secrets.";
};
homeIdentities = mkOption {
type = types.listOf types.str;
default = [ ];
example = [
"laptop-home"
"wawa-wawa-home"
];
};
secretsDir = mkOption {
type = types.str;
default = null;
@@ -56,47 +48,68 @@ in
config =
let
secrets = builtins.fromJSON (builtins.readFile "${inputs.self}/${cfg.secretsDir}/secrets.json");
all_keys = lib.flatten (lib.concatAttrValues per_host_keys);
per_host_keys = lib.mergeAttrsList (
toKeyList =
v:
if builtins.isString v then
[ v ]
else if builtins.isList v then
v
else
throw "Unexpected type ${builtins.typeOf v} for sopsPublic";
# Every host across every system: hostName -> [host pubkeys].
host_keys = lib.mergeAttrsList (
lib.flatten (
map (
x:
builtins.mapAttrs (
name: value:
let
v = value.sopsPublic or [ ];
type = builtins.typeOf v;
vv =
if type == "string" then
[ v ]
else if type == "list" then
v
else
throw "Unexpected type ${type} for sopsPublic in host ${name}";
in
vv
) x
perSystem:
lib.mapAttrsToList (_: host: { ${host.hostName} = toKeyList (host.sopsPublic or [ ]); }) perSystem
) (builtins.attrValues den.hosts)
)
);
# Every user on every host is a home identity "<hostName>@<userName>".
home_keys = lib.mergeAttrsList (
lib.flatten (
map (
perSystem:
lib.mapAttrsToList (
_: host:
lib.mapAttrsToList (
_: user: { "${host.hostName}@${user.userName}" = toKeyList (user.sopsPublic or [ ]); }
) (host.users or { })
) perSystem
) (builtins.attrValues den.hosts)
)
);
# Replaces the old hand-maintained `homeIdentities` option.
homeIdentities = builtins.attrNames home_keys;
# A secret's `hosts` may target either a host or a home identity.
identity_keys = host_keys // home_keys;
all_host_keys = lib.flatten (lib.attrValues host_keys);
all_home_keys = lib.flatten (lib.attrValues home_keys);
secret_map = lib.mapAttrs (
name: value:
let
sopskeys = lib.unique (
lib.flatten (map (k: per_host_keys.${k}) value.hosts)
++ (lib.optionals value.global all_keys)
lib.flatten (map (k: identity_keys.${k}) value.hosts)
++ (lib.optionals value.globalHosts all_host_keys)
++ (lib.optionals value.globalHomes all_home_keys)
++ cfg.masterKeys
);
# Descriptive flag: is this secret consumed by a home-manager user?
# True when it is global or targets any identity in `homeIdentities`.
home = value.global || lib.any (h: lib.elem h cfg.homeIdentities) value.hosts;
# True when it is global to homes or targets any home identity.
home = value.globalHomes || lib.any (h: lib.elem h homeIdentities) value.hosts;
in
{
inherit (value)
format
neededForUsers
hosts
global
globalHosts
globalHomes
;
keys = value.keys or [ ];
inherit sopskeys home;
@@ -114,7 +127,7 @@ in
lib.mapAttrsToList (
name: value:
let
hasHost = (lib.elem host value.hosts) || value.global;
hasHost = (lib.elem host value.hosts) || value.globalHosts;
isYamlOrJson = value.format == "yaml" || value.format == "json";
in
(
@@ -158,7 +171,7 @@ in
lib.mapAttrsToList (
name: value:
let
hasHost = (lib.elem identity value.hosts) || value.global;
hasHost = (lib.elem identity value.hosts) || value.globalHomes;
isYamlOrJson = value.format == "yaml" || value.format == "json";
in
(
@@ -193,8 +206,8 @@ in
flake.secretsManifest = {
secretsDir = cfg.secretsDir;
masterKeys = cfg.masterKeys;
hosts = lib.mapAttrs (_: keys: { inherit keys; }) per_host_keys;
homeIdentities = cfg.homeIdentities;
hosts = lib.mapAttrs (_: keys: { inherit keys; }) host_keys;
inherit homeIdentities;
secrets = secret_map;
};
secrets.nixosModule = {