{ config, lib, ... }: { imports = [ (lib.mkRemovedOptionModule [ "clanCore" "secretsPrefix" ] "secretsPrefix was only used by the sops module and the code is now integrated in there") (lib.mkRenamedOptionModule [ "clanCore" "secretStore" ] [ "clanCore" "facts" "secretStore" ] ) (lib.mkRenamedOptionModule [ "clanCore" "secretsDirectory" ] [ "clanCore" "facts" "secretDirectory" ] ) (lib.mkRenamedOptionModule [ "clanCore" "secretsUploadDirectory" ] [ "clanCore" "facts" "secretUploadDirectory" ] ) ]; options.clanCore.secrets = lib.mkOption { visible = false; default = { }; type = lib.types.attrsOf ( lib.types.submodule (service: { options = { name = lib.mkOption { type = lib.types.str; default = service.config._module.args.name; description = '' Namespace of the service ''; }; generator = lib.mkOption { type = lib.types.submodule ( { ... }: { options = { path = lib.mkOption { type = lib.types.listOf (lib.types.either lib.types.path lib.types.package); default = [ ]; description = '' Extra paths to add to the PATH environment variable when running the generator. ''; }; prompt = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; description = '' prompt text to ask for a value. This value will be passed to the script as the environment variable $prompt_value. ''; }; script = lib.mkOption { type = lib.types.str; description = '' Script to generate the secret. The script will be called with the following variables: - facts: path to a directory where facts can be stored - secrets: path to a directory where secrets can be stored The script is expected to generate all secrets and facts defined in the module. ''; }; }; } ); }; secrets = let config' = config; in lib.mkOption { default = { }; type = lib.types.attrsOf ( lib.types.submodule ( { config, name, ... }: { options = { name = lib.mkOption { type = lib.types.str; description = '' name of the secret ''; default = name; }; path = lib.mkOption { type = lib.types.str; description = '' path to a secret which is generated by the generator ''; default = "${config'.clanCore.facts.secretDirectory}/${config.name}"; defaultText = lib.literalExpression "\${config'.clanCore.facts.secretDirectory}/\${config.name}"; }; } // lib.optionalAttrs (config'.clanCore.facts.secretStore == "sops") { groups = lib.mkOption { type = lib.types.listOf lib.types.str; default = config'.clanCore.sops.defaultGroups; description = '' Groups to decrypt the secret for. By default we always use the user's key. ''; }; }; } ) ); description = '' path where the secret is located in the filesystem ''; }; facts = lib.mkOption { default = { }; type = lib.types.attrsOf ( lib.types.submodule (fact: { options = { name = lib.mkOption { type = lib.types.str; description = '' name of the fact ''; default = fact.config._module.args.name; }; path = lib.mkOption { type = lib.types.path; description = '' path to a fact which is generated by the generator ''; default = config.clanCore.clanDir + "/machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}"; defaultText = lib.literalExpression "\${config.clanCore.clanDir}/machines/\${config.clanCore.machineName}/facts/\${fact.config._module.args.name}"; }; value = lib.mkOption { defaultText = lib.literalExpression "\${config.clanCore.clanDir}/\${fact.config.path}"; type = lib.types.nullOr lib.types.str; default = if builtins.pathExists fact.config.path then lib.strings.fileContents fact.config.path else null; }; }; }) ); }; }; }) ); }; config = lib.mkIf (config.clanCore.secrets != { }) { clanCore.facts.services = lib.mapAttrs' ( name: service: lib.warn "clanCore.secrets.${name} is deprecated, use clanCore.facts.services.${name} instead" ( lib.nameValuePair name ({ secret = service.secrets; public = service.facts; generator = service.generator; }) ) ) config.clanCore.secrets; }; }