_utils.setupSecrets#

attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers

This is a higher-level setup that wraps around _utils.genSecrets and provides some additional helper functions. Usage of this function should make more sense than just using genSecrets.

`<ReturnValue>.generate` is not actually a function. The attrset is "already" "rendered" should it be actually
resolved by not being ignored by lazy eval. This is essentially equivalent to `genSecrets`, but is now an inline module
that can be put inside an input block instead of being a random attrset.

NOTE: does not support overriding config for only 1 path. might implement when demand arises.

The definition of secretHelpers is defined as follows:

secretHelpers = {
  generate    = {}; # => {sops.secrets.* = <sopsConfig>} (inline module)
  get         = path: ""; # => actual path of the secret, usually /run/secrets/the/secret

  placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.
  getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.
  mkTemplate  = file: content: {}; # => {sops.templates.* = ...;}
  #             ^ => filename of the template. can be any arbitrary string.
}

Example#

{ _utils, config, ... }: let
  secrets = _utils.setupSecrets config {
    namespace = "balls";  # for us, the namespace is just the top level element in our secrets yaml file.
    config = {
      owner = "jane";
    };
    secrets = [ "my/definitions/gock" "my/sizes/gock" ];
  };
in {
  imports = [
    secrets.generate
    (secrets.mkTemplate "my-secret.env" ''
      MY_GOCK_SIZE=${secrets.placeholder "my/sizes/gock"}
    '')
  ];

  some.service.settings.gock.file = secrets.get "my/definitions/gock";  # resolves to the path of balls/my/definitions/gock.
  some.service.settings.envFile = secrets.getTemplate "my-secret.env";
}