commit 25f18d4ee7f20f9a4c26eaac4034e337c724e17a · soopy.moe/gensokyo

+46

docs/utils.md

···

       58
       58
        
       

     

       59
       59
        
       See https://github.com/soopyc/nix-on-koumakan/blob/b7983776143c15c91df69ef34ba4264a22047ec6/systems/koumakan/services/fedivese/akkoma.nix#L8-L34 for a more extensive example

     

       60
       60
        
       

     

       61
       61
       +
       ## `_utils.setupSecrets`

     

       62
       62
       +
       `attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers`

     

       63
       63
       +
       This is a more convoluted setup that wraps around `_utils.genSecrets` to provide some additional helper functions.

     

       64
       64
       +
       Usage of this function should make more sense than just using `genSecrets`.

     

       65
       65
       +
       

     

       66
       66
       +
       NOTE: `<ReturnValue>.generate` is not actually a function. The attrset is "already" "rendered" should it be actually

     

       67
       67
       +
       resolved by not being ignored by lazy eval.

     

       68
       68
       +
       

     

       69
       69
       +
       NOTE: does not support overriding config for only 1 path. might implement when demand arises.

     

       70
       70
       +
       

     

       71
       71
       +
       The definition of `secretHelpers` is defined as follows:

     

       72
       72
       +
       ```nix

     

       73
       73
       +
       secretHelpers = {

     

       74
       74
       +
         generate    = {}; # => {sops.secrets.* = <sopsConfig>}

     

       75
       75
       +
         get         = path: ""; # => actual path of the secret, usually /run/secrets/the/secret

     

       76
       76
       +
       

     

       77
       77
       +
         placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.

     

       78
       78
       +
         getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.

     

       79
       79
       +
         mkTemplate  = file: content: {}; # => {sops.templates.* = ...;}

     

       80
       80
       +
         #             ^ => filename of the template. just an arbitrary string.

     

       81
       81
       +
       }

     

       82
       82
       +
       ```

     

       83
       83
       +
       

     

       84
       84
       +
       ### Example

     

       85
       85
       +
       ```nix

     

       86
       86
       +
       { _utils, config, ... }: let

     

       87
       87
       +
         secrets = _utils.setupSecrets config {

     

       88
       88
       +
           namespace = "balls";  # for us, the namespace is just the top level element in our secrets yaml file.

     

       89
       89
       +
           config = {

     

       90
       90
       +
             owner = "jane";

     

       91
       91
       +
           };

     

       92
       92
       +
           secrets = [ "my/definitions/gock" "my/sizes/gock" ];

     

       93
       93
       +
         };

     

       94
       94
       +
       in {

     

       95
       95
       +
         imports = [

     

       96
       96
       +
           secrets.generate

     

       97
       97
       +
           (secrets.mkTemplate "my-secret.env" ''

     

       98
       98
       +
             MY_GOCK_SIZE=${secrets.placeholder "my/sizes/gock"}

     

       99
       99
       +
           '')

     

       100
       100
       +
         ];

     

       101
       101
       +
       

     

       102
       102
       +
         some.service.settings.gock.file = secrets.get "my/definitions/gock";  # resolves to the path of balls/my/definitions/gock.

     

       103
       103
       +
         some.service.settings.envFile = secrets.getTemplate "my-secret.env";

     

       104
       104
       +
       }

     

       105
       105
       +
       ```

     

       106
       106
       +
       

     

       61
       107
        
       ## `_utils.mkNginxFile`

     

       62
       108
        
       `{filename<str> ? "index.html", content<str>, status<int> ? 200} -> {alias<str>, tryFiles<str>}`

     

       63
       109
        
       Simple helper function to generate an attrset compatible with a nginx vhost `locations` attribute that serves a single file.

+27

global/utils.nix

···

       61
       61
        
             }

     

       62
       62
        
           ]);

     

       63
       63
        
       

     

       64
       64
       +
         setupSecrets = _config: {

     

       65
       65
       +
           namespace ? (lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." ""),

     

       66
       66
       +
           secrets,

     

       67
       67
       +
           config ? {},

     

       68
       68
       +
         }: let

     

       69
       69
       +
           _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/";

     

       70
       70
       +
           check = path:

     

       71
       71
       +
             if lib.elem path secrets

     

       72
       72
       +
             then path

     

       73
       73
       +
             else throw "secret path `${path}` is not defined in namespace `${namespace}`. (resolved: ${_r_ns namespace}/${path})";

     

       74
       74
       +
           getRealPath = path: _r_ns + check path;

     

       75
       75
       +
         in

     

       76
       76
       +
           builtins.addErrorContext "while setting up secrets with namespace ${namespace}" {

     

       77
       77
       +
             generate = {sops.secrets = genSecrets namespace secrets config;}; # i love trolling

     

       78
       78
       +
             get = path: _config.sops.secrets.${getRealPath path}.path;

     

       79
       79
       +
       

     

       80
       80
       +
             placeholder = path: _config.sops.placeholder.${getRealPath path};

     

       81
       81
       +
             getTemplate = file: _config.sops.templates.${file}.path;

     

       82
       82
       +
             mkTemplate = file: content:

     

       83
       83
       +
               builtins.addErrorContext "while generating sops template ${file}" {

     

       84
       84
       +
                 sops.templates.${file} =

     

       85
       85
       +
                   {inherit content;}

     

       86
       86
       +
                   // (lib.optionalAttrs (builtins.hasAttr "owner" config) {inherit (config) owner;})

     

       87
       87
       +
                   // (lib.optionalAttrs (builtins.hasAttr "group" config) {inherit (config) group;});

     

       88
       88
       +
               };

     

       89
       89
       +
           };

     

       90
       90
       +
       

     

       64
       91
        
         genSecrets = namespace: files: value:

     

       65
       92
        
           lib.genAttrs (

     

       66
       93
        
             map (x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x) files