fix derived secrets (all were failing)

2023-07-11 05:15:56 +00:00 · 2023-07-11 05:15:56 +00:00 · 3bbc4aecbb
commit 3bbc4aecbb
parent 464db2c118
2 changed files with 7 additions and 7 deletions
--- a/hosts/modules/derived-secrets/default.nix
+++ b/hosts/modules/derived-secrets/default.nix
@ -1,16 +1,14 @@
 { config, lib, pkgs, ... }:

 let
-  inherit (builtins) toString;
-  inherit (lib) mapAttrs mkOption types;

  hash-path-with-salt = pkgs.static-nix-shell.mkBash {
    pname = "hash-path-with-salt";
    src = ./.;
  };
-  
+
  cfg = config.sane.derived-secrets;
-  secret = types.submodule {
+  secret = with lib; types.submodule {
    options = {
      len = mkOption {
        type = types.int;
@ -23,7 +21,7 @@ let
 in
 {
  options = {
-    sane.derived-secrets = mkOption {
+    sane.derived-secrets = with lib; mkOption {
      type = types.attrsOf secret;
      default = {};
      description = ''
@ -36,11 +34,12 @@ in
  };

  config = {
-    sane.fs = mapAttrs (path: c: {
+    sane.fs = lib.mapAttrs (path: c: {
      generated.command = [
        "${hash-path-with-salt}/bin/hash-path-with-salt"
        path
        c.encoding
+        (builtins.toString (c.len * 2))
      ];
      generated.acl.mode = "0600";
    }) cfg;
--- a/hosts/modules/derived-secrets/hash-path-with-salt
+++ b/hosts/modules/derived-secrets/hash-path-with-salt
@ -2,9 +2,10 @@
 #!nix-shell -i bash
 file="$1"
 enc="$2"
+nibbles="$3"
 echo "$file" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
  | sha512sum \
-  | cut -c 1-${toString (c.len * 2)} \
+  | cut -c "1-$nibbles" \
  | tr a-z A-Z \
  | basenc -d --base16 \
  | basenc "--$enc" \