From c69b98e6e72ff74a0275e3e1fbdb2a1b0225187d Mon Sep 17 00:00:00 2001 From: ElliottSullingeFarrall Date: Sun, 22 Sep 2024 18:05:32 +0100 Subject: [PATCH] feature: added support for substituting secrets into files --- modules/age-home.nix | 20 ++++++++++++++++++++ modules/age.nix | 24 ++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/modules/age-home.nix b/modules/age-home.nix index 7c1051f..54c3440 100644 --- a/modules/age-home.nix +++ b/modules/age-home.nix @@ -65,6 +65,12 @@ with lib; let ''} ''; + substituteSecret = secretType: + builtins.concatStringsSep "\n" (builtins.map (file: '' + ${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file} + '') + secretType.substitutions); + testIdentities = map (path: '' @@ -91,6 +97,11 @@ with lib; let ++ [cleanupAndLink] ); + substituteSecrets = builtins.concatStringsSep "\n" ( + ["echo '[agenix] substituting secrets...'"] + ++ (map substituteSecret (builtins.attrValues cfg.secrets)) + ); + secretType = types.submodule ({ config, name, @@ -117,6 +128,14 @@ with lib; let Path where the decrypted secret is installed. ''; }; + substitutions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of files to substitute the secret into. + WARNING: It is recommended to set `force = true` for files managed through home-manager. + ''; + }; mode = mkOption { type = types.str; default = "0400"; @@ -135,6 +154,7 @@ with lib; let text = '' ${newGeneration} ${installSecrets} + ${substituteSecrets} exit 0 ''; }; diff --git a/modules/age.nix b/modules/age.nix index e49d9d8..5a847de 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -129,6 +129,17 @@ with lib; let ++ (map chownSecret (builtins.attrValues cfg.secrets)) ); + substituteSecret = secretType: + builtins.concatStringsSep "\n" (builtins.map (file: '' + ${pkgs.gnused}/bin/sed -i "s#@${secretType.name}@#$(cat ${secretType.path})#" ${file} + '') + secretType.substitutions); + + substituteSecrets = builtins.concatStringsSep "\n" ( + ["echo '[agenix] substituting secrets...'"] + ++ (map substituteSecret (builtins.attrValues cfg.secrets)) + ); + secretType = types.submodule ({config, ...}: { options = { name = mkOption { @@ -155,6 +166,13 @@ with lib; let Path where the decrypted secret is installed. ''; }; + substitutions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of files to substitute the secret into. + ''; + }; mode = mkOption { type = types.str; default = "0400"; @@ -298,6 +316,12 @@ in { text = ""; deps = ["agenixChown"]; }; + + # Substitute secrets into files. + system.activationScripts.agenixSubstitute = { + text = substituteSecrets; + deps = ["agenix" "etc"]; + }; }) (optionalAttrs isDarwin { launchd.daemons.activate-agenix = {