programs: add per-program secrets
This commit is contained in:
parent
1f0fbe29a8
commit
9c09d03e5c
|
@ -2,10 +2,5 @@
|
||||||
{ config, sane-lib, ... }:
|
{ config, sane-lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
sops.secrets."aerc_accounts" = {
|
sane.programs.aerc.secrets.".config/aerc/accounts.conf" = ../../../secrets/universal/aerc_accounts.conf.bin;
|
||||||
owner = config.users.users.colin.name;
|
|
||||||
sopsFile = ../../../secrets/universal/aerc_accounts.conf;
|
|
||||||
format = "binary";
|
|
||||||
};
|
|
||||||
sane.programs.aerc.fs.".config/aerc/accounts.conf" = sane-lib.fs.wantedSymlinkTo config.sops.secrets.aerc_accounts.path;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,10 +2,12 @@
|
||||||
let
|
let
|
||||||
inherit (builtins) any attrValues elem map;
|
inherit (builtins) any attrValues elem map;
|
||||||
inherit (lib)
|
inherit (lib)
|
||||||
|
concatMapAttrs
|
||||||
filterAttrs
|
filterAttrs
|
||||||
hasAttrByPath
|
hasAttrByPath
|
||||||
getAttrFromPath
|
getAttrFromPath
|
||||||
mapAttrs
|
mapAttrs
|
||||||
|
mapAttrs'
|
||||||
mapAttrsToList
|
mapAttrsToList
|
||||||
mkDefault
|
mkDefault
|
||||||
mkIf
|
mkIf
|
||||||
|
@ -94,6 +96,14 @@ let
|
||||||
default = {};
|
default = {};
|
||||||
description = "files to populate when this program is enabled";
|
description = "files to populate when this program is enabled";
|
||||||
};
|
};
|
||||||
|
secrets = mkOption {
|
||||||
|
type = types.attrsOf types.path;
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
fs paths to link to some decrypted secret.
|
||||||
|
the secret will have same owner as the user under which the program is enabled.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
@ -120,8 +130,35 @@ let
|
||||||
|
|
||||||
# conditionally persist relevant user dirs and create files
|
# conditionally persist relevant user dirs and create files
|
||||||
sane.users = mapAttrs (user: en: optionalAttrs en {
|
sane.users = mapAttrs (user: en: optionalAttrs en {
|
||||||
inherit (p) fs persist;
|
inherit (p) persist;
|
||||||
|
fs = mkMerge [
|
||||||
|
p.fs
|
||||||
|
(mapAttrs
|
||||||
|
# link every secret into the fs
|
||||||
|
# TODO: user the user's *actual* home directory, don't guess.
|
||||||
|
(homePath: _src: sane-lib.fs.wantedSymlinkTo "/run/secrets/home/${user}/${homePath}")
|
||||||
|
p.secrets
|
||||||
|
)
|
||||||
|
];
|
||||||
}) p.enableFor.user;
|
}) p.enableFor.user;
|
||||||
|
|
||||||
|
# make secrets available for each user
|
||||||
|
sops.secrets = concatMapAttrs
|
||||||
|
(user: en: optionalAttrs en (
|
||||||
|
mapAttrs'
|
||||||
|
(homePath: src: {
|
||||||
|
# TODO: user the user's *actual* home directory, don't guess.
|
||||||
|
name = "/home/${user}/${homePath}";
|
||||||
|
value = {
|
||||||
|
owner = user;
|
||||||
|
sopsFile = src;
|
||||||
|
format = "binary";
|
||||||
|
};
|
||||||
|
})
|
||||||
|
p.secrets
|
||||||
|
))
|
||||||
|
p.enableFor.user;
|
||||||
|
|
||||||
}) cfg;
|
}) cfg;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -139,6 +176,7 @@ in
|
||||||
environment.systemPackages = f.environment.systemPackages;
|
environment.systemPackages = f.environment.systemPackages;
|
||||||
users.users = f.users.users;
|
users.users = f.users.users;
|
||||||
sane.users = f.sane.users;
|
sane.users = f.sane.users;
|
||||||
|
sops.secrets = f.sops.secrets;
|
||||||
};
|
};
|
||||||
in mkMerge [
|
in mkMerge [
|
||||||
(take (sane-lib.mkTypedMerge take configs))
|
(take (sane-lib.mkTypedMerge take configs))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user