soopy.moe
1# `_utils.setupSecrets`
2`attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers`
3
4This is a higher-level setup that wraps around `_utils.genSecrets` and provides some additional helper functions.
5Usage of this function should make more sense than just using `genSecrets`.
6
7```admonish note
8`<ReturnValue>.generate` is not actually a function. The attrset is "already" "rendered" should it be actually
9resolved by not being ignored by lazy eval. This is essentially equivalent to `genSecrets`, but is now an inline module
10that can be put inside an input block instead of being a random attrset.
11```
12
13NOTE: does not support overriding config for only 1 path. might implement when demand arises.
14
15The definition of `secretHelpers` is defined as follows:
16```nix
17secretHelpers = {
18 generate = {}; # => {sops.secrets.* = <sopsConfig>} (inline module)
19 get = path: ""; # => actual path of the secret, usually /run/secrets/the/secret
20
21 placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.
22 getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.
23 mkTemplate = file: content: {}; # => {sops.templates.* = ...;}
24 # ^ => filename of the template. can be any arbitrary string.
25}
26```
27
28## Example
29```nix
30{ _utils, config, ... }: let
31 secrets = _utils.setupSecrets config {
32 namespace = "balls"; # for us, the namespace is just the top level element in our secrets yaml file.
33 config = {
34 owner = "jane";
35 };
36 secrets = [ "my/definitions/gock" "my/sizes/gock" ];
37 };
38in {
39 imports = [
40 secrets.generate
41 (secrets.mkTemplate "my-secret.env" ''
42 MY_GOCK_SIZE=${secrets.placeholder "my/sizes/gock"}
43 '')
44 ];
45
46 some.service.settings.gock.file = secrets.get "my/definitions/gock"; # resolves to the path of balls/my/definitions/gock.
47 some.service.settings.envFile = secrets.getTemplate "my-secret.env";
48}
49```