2024-03-17 18:48:49 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2023-08-28 09:09:05 +00:00
|
|
|
{
|
2023-09-06 14:08:36 +00:00
|
|
|
options.clanCore.secretStore = lib.mkOption {
|
2024-03-17 18:48:49 +00:00
|
|
|
type = lib.types.enum [
|
|
|
|
|
"sops"
|
|
|
|
|
"password-store"
|
|
|
|
|
"vm"
|
|
|
|
|
"custom"
|
|
|
|
|
];
|
2023-09-06 14:08:36 +00:00
|
|
|
default = "sops";
|
|
|
|
|
description = ''
|
|
|
|
|
method to store secrets
|
2023-09-14 12:15:51 +00:00
|
|
|
custom can be used to define a custom secret store.
|
2023-09-06 14:08:36 +00:00
|
|
|
'';
|
|
|
|
|
};
|
2023-09-26 15:31:45 +00:00
|
|
|
|
|
|
|
|
options.clanCore.secretsDirectory = lib.mkOption {
|
|
|
|
|
type = lib.types.path;
|
|
|
|
|
description = ''
|
|
|
|
|
The directory where secrets are installed to. This is backend specific.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-09-29 16:30:11 +00:00
|
|
|
options.clanCore.secretsUploadDirectory = lib.mkOption {
|
2023-11-10 10:42:44 +00:00
|
|
|
type = lib.types.nullOr lib.types.path;
|
|
|
|
|
default = null;
|
2023-09-29 16:30:11 +00:00
|
|
|
description = ''
|
|
|
|
|
The directory where secrets are uploaded into, This is backend specific.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-09-26 15:31:45 +00:00
|
|
|
options.clanCore.secretsPrefix = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "";
|
|
|
|
|
description = ''
|
|
|
|
|
Prefix for secrets. This is backend specific.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2023-08-30 13:24:33 +00:00
|
|
|
options.clanCore.secrets = lib.mkOption {
|
2023-09-13 21:16:56 +00:00
|
|
|
default = { };
|
2024-03-17 18:48:49 +00:00
|
|
|
type = lib.types.attrsOf (
|
|
|
|
|
lib.types.submodule (service: {
|
2023-08-28 09:09:05 +00:00
|
|
|
options = {
|
|
|
|
|
name = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
2024-03-02 09:25:10 +00:00
|
|
|
default = service.config._module.args.name;
|
2023-08-28 09:09:05 +00:00
|
|
|
description = ''
|
2024-03-02 09:25:10 +00:00
|
|
|
Namespace of the service
|
2023-08-28 09:09:05 +00:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
generator = lib.mkOption {
|
2024-03-17 18:48:49 +00:00
|
|
|
type = lib.types.submodule (
|
|
|
|
|
{ config, ... }:
|
|
|
|
|
{
|
|
|
|
|
options = {
|
|
|
|
|
path = lib.mkOption {
|
|
|
|
|
type = lib.types.listOf (lib.types.either lib.types.path lib.types.package);
|
|
|
|
|
default = [ ];
|
|
|
|
|
description = ''
|
|
|
|
|
Extra paths to add to the PATH environment variable when running the generator.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
prompt = lib.mkOption {
|
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
prompt text to ask for a value.
|
|
|
|
|
This value will be passed to the script as the environment variable $prompt_value.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
script = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
Script to generate the secret.
|
|
|
|
|
The script will be called with the following variables:
|
|
|
|
|
- facts: path to a directory where facts can be stored
|
|
|
|
|
- secrets: path to a directory where secrets can be stored
|
|
|
|
|
The script is expected to generate all secrets and facts defined in the module.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
finalScript = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
readOnly = true;
|
|
|
|
|
internal = true;
|
|
|
|
|
default = ''
|
|
|
|
|
set -eu -o pipefail
|
2024-01-30 10:56:22 +00:00
|
|
|
|
2024-03-17 18:48:49 +00:00
|
|
|
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
2024-01-30 10:56:22 +00:00
|
|
|
|
2024-03-17 18:48:49 +00:00
|
|
|
# prepare sandbox user
|
|
|
|
|
mkdir -p /etc
|
|
|
|
|
cp ${
|
|
|
|
|
pkgs.runCommand "fake-etc" { } ''
|
|
|
|
|
export PATH="${pkgs.coreutils}/bin"
|
|
|
|
|
mkdir -p $out
|
|
|
|
|
cp /etc/* $out/
|
|
|
|
|
''
|
|
|
|
|
}/* /etc/
|
2024-01-30 10:56:22 +00:00
|
|
|
|
2024-03-17 18:48:49 +00:00
|
|
|
${config.script}
|
|
|
|
|
'';
|
|
|
|
|
};
|
2023-11-30 12:01:38 +00:00
|
|
|
};
|
2024-03-17 18:48:49 +00:00
|
|
|
}
|
|
|
|
|
);
|
2023-08-28 09:09:05 +00:00
|
|
|
};
|
2023-09-26 15:31:45 +00:00
|
|
|
secrets =
|
|
|
|
|
let
|
|
|
|
|
config' = config;
|
|
|
|
|
in
|
|
|
|
|
lib.mkOption {
|
2024-03-13 08:18:09 +00:00
|
|
|
default = { };
|
2024-03-17 18:48:49 +00:00
|
|
|
type = lib.types.attrsOf (
|
|
|
|
|
lib.types.submodule (
|
|
|
|
|
{ config, name, ... }:
|
|
|
|
|
{
|
|
|
|
|
options =
|
|
|
|
|
{
|
|
|
|
|
name = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
name of the secret
|
|
|
|
|
'';
|
|
|
|
|
default = name;
|
|
|
|
|
};
|
|
|
|
|
path = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
path to a secret which is generated by the generator
|
|
|
|
|
'';
|
|
|
|
|
default = "${config'.clanCore.secretsDirectory}/${config'.clanCore.secretsPrefix}${config.name}";
|
2024-03-25 07:44:39 +00:00
|
|
|
defaultText = lib.literalExpression "\${config'.clanCore.secretsDirectory}/\${config'.clanCore.secretsPrefix}\${config.name}";
|
2024-03-17 18:48:49 +00:00
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
// lib.optionalAttrs (config'.clanCore.secretStore == "sops") {
|
|
|
|
|
groups = lib.mkOption {
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
|
|
|
|
default = config'.clanCore.sops.defaultGroups;
|
|
|
|
|
description = ''
|
|
|
|
|
Groups to decrypt the secret for. By default we always use the user's key.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
description = ''
|
|
|
|
|
path where the secret is located in the filesystem
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
facts = lib.mkOption {
|
|
|
|
|
default = { };
|
|
|
|
|
type = lib.types.attrsOf (
|
|
|
|
|
lib.types.submodule (fact: {
|
2023-09-26 15:31:45 +00:00
|
|
|
options = {
|
|
|
|
|
name = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = ''
|
2024-03-17 18:48:49 +00:00
|
|
|
name of the fact
|
2023-09-26 15:31:45 +00:00
|
|
|
'';
|
2024-03-17 18:48:49 +00:00
|
|
|
default = fact.config._module.args.name;
|
2023-09-26 15:31:45 +00:00
|
|
|
};
|
|
|
|
|
path = lib.mkOption {
|
2024-03-17 18:48:49 +00:00
|
|
|
type = lib.types.path;
|
2023-09-26 15:31:45 +00:00
|
|
|
description = ''
|
2024-03-17 18:48:49 +00:00
|
|
|
path to a fact which is generated by the generator
|
2023-09-26 15:31:45 +00:00
|
|
|
'';
|
2024-03-17 18:48:49 +00:00
|
|
|
default =
|
|
|
|
|
config.clanCore.clanDir
|
|
|
|
|
+ "/machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}";
|
2024-03-25 07:44:39 +00:00
|
|
|
defaultText = lib.literalExpression "\${config.clanCore.clanDir}/machines/\${config.clanCore.machineName}/facts/\${fact.config._module.args.name}";
|
2023-09-26 15:31:45 +00:00
|
|
|
};
|
2024-03-17 18:48:49 +00:00
|
|
|
value = lib.mkOption {
|
|
|
|
|
defaultText = lib.literalExpression "\${config.clanCore.clanDir}/\${fact.config.path}";
|
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
|
default =
|
|
|
|
|
if builtins.pathExists fact.config.path then lib.strings.fileContents fact.config.path else null;
|
2024-02-16 16:03:14 +00:00
|
|
|
};
|
2023-08-28 09:09:05 +00:00
|
|
|
};
|
2024-03-17 18:48:49 +00:00
|
|
|
})
|
|
|
|
|
);
|
2023-08-28 09:09:05 +00:00
|
|
|
};
|
|
|
|
|
};
|
2024-03-17 18:48:49 +00:00
|
|
|
})
|
|
|
|
|
);
|
2023-08-28 09:09:05 +00:00
|
|
|
};
|
|
|
|
|
imports = [
|
2023-09-06 14:09:43 +00:00
|
|
|
./sops.nix
|
|
|
|
|
./password-store.nix
|
2024-02-14 06:15:59 +00:00
|
|
|
./vm.nix
|
2023-08-28 09:09:05 +00:00
|
|
|
];
|
|
|
|
|
}
|
