Skip to content

Commit

Permalink
feature: added support for substituting secrets into files
Browse files Browse the repository at this point in the history
  • Loading branch information
@ElliottSullingeFarrall
ElliottSullingeFarrall committed Sep 22, 2024
1 parent 3a56735 commit c69b98e
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
20 changes: 20 additions & 0 deletions modules/age-home.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ with lib; let
''}
'';

substituteSecret = secretType:
builtins.concatStringsSep "\n" (builtins.map (file: ''
${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file}
'')
secretType.substitutions);

testIdentities =
map
(path: ''
Expand All @@ -91,6 +97,11 @@ with lib; let
++ [cleanupAndLink]
);

substituteSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] substituting secrets...'"]
++ (map substituteSecret (builtins.attrValues cfg.secrets))
);

secretType = types.submodule ({
config,
name,
Expand All @@ -117,6 +128,14 @@ with lib; let
Path where the decrypted secret is installed.
'';
};
substitutions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of files to substitute the secret into.
WARNING: It is recommended to set `force = true` for files managed through home-manager.
'';
};
mode = mkOption {
type = types.str;
default = "0400";
Expand All @@ -135,6 +154,7 @@ with lib; let
text = ''
${newGeneration}
${installSecrets}
${substituteSecrets}
exit 0
'';
};
Expand Down
24 changes: 24 additions & 0 deletions modules/age.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,17 @@ with lib; let
++ (map chownSecret (builtins.attrValues cfg.secrets))
);

substituteSecret = secretType:
builtins.concatStringsSep "\n" (builtins.map (file: ''
${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file}
'')
secretType.substitutions);

substituteSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] substituting secrets...'"]
++ (map substituteSecret (builtins.attrValues cfg.secrets))
);

secretType = types.submodule ({config, ...}: {
options = {
name = mkOption {
Expand All @@ -155,6 +166,13 @@ with lib; let
Path where the decrypted secret is installed.
'';
};
substitutions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of files to substitute the secret into.
'';
};
mode = mkOption {
type = types.str;
default = "0400";
Expand Down Expand Up @@ -298,6 +316,12 @@ in {
text = "";
deps = ["agenixChown"];
};

# Substitute secrets into files.
system.activationScripts.agenixSubstitute = {
text = substituteSecrets;
deps = ["agenix" "etc"];
};
})
(optionalAttrs isDarwin {
launchd.daemons.activate-agenix = {
Expand Down

0 comments on commit c69b98e

Please sign in to comment.