chore: Run nix fmt
All checks were successful
CI / Format Check (push) Successful in 2s
CI / Flake Check (push) Successful in 1m42s
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 13s
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 7s
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 8s
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 22s
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 14s
CI / Build and Publish Documentation (push) Successful in 10s
All checks were successful
CI / Format Check (push) Successful in 2s
CI / Flake Check (push) Successful in 1m42s
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 13s
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 7s
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 8s
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 22s
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 14s
CI / Build and Publish Documentation (push) Successful in 10s
This commit is contained in:
UGA Innovation Factory
@@ -24,11 +24,7 @@ let
|
|||||||
hostname = config.networking.hostName;
|
hostname = config.networking.hostName;
|
||||||
|
|
||||||
# Read all directories in ./secrets
|
# Read all directories in ./secrets
|
||||||
secretDirs =
|
secretDirs = if builtins.pathExists secretsPath then builtins.readDir secretsPath else { };
|
||||||
if builtins.pathExists secretsPath then
|
|
||||||
builtins.readDir secretsPath
|
|
||||||
else
|
|
||||||
{ };
|
|
||||||
|
|
||||||
# Filter to only directories (excludes files)
|
# Filter to only directories (excludes files)
|
||||||
isDirectory = name: type: type == "directory";
|
isDirectory = name: type: type == "directory";
|
||||||
@@ -46,9 +42,7 @@ let
|
|||||||
customConfigs = if hasDefaultNix then import (dirPath + "/default.nix") else { };
|
customConfigs = if hasDefaultNix then import (dirPath + "/default.nix") else { };
|
||||||
|
|
||||||
# Only include .age files (exclude .pub public keys and other files)
|
# Only include .age files (exclude .pub public keys and other files)
|
||||||
secretFiles = lib.filterAttrs (
|
secretFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".age" name) files;
|
||||||
name: type: type == "regular" && lib.hasSuffix ".age" name
|
|
||||||
) files;
|
|
||||||
in
|
in
|
||||||
lib.mapAttrs' (
|
lib.mapAttrs' (
|
||||||
name: _:
|
name: _:
|
||||||
@@ -74,9 +68,7 @@ let
|
|||||||
dirPath = secretsPath + "/${dirName}";
|
dirPath = secretsPath + "/${dirName}";
|
||||||
files = if builtins.pathExists dirPath then builtins.readDir dirPath else { };
|
files = if builtins.pathExists dirPath then builtins.readDir dirPath else { };
|
||||||
# Only include .pub public key files
|
# Only include .pub public key files
|
||||||
pubKeyFiles = lib.filterAttrs (
|
pubKeyFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".pub" name) files;
|
||||||
name: type: type == "regular" && lib.hasSuffix ".pub" name
|
|
||||||
) files;
|
|
||||||
in
|
in
|
||||||
lib.mapAttrsToList (
|
lib.mapAttrsToList (
|
||||||
name: _:
|
name: _:
|
||||||
@@ -151,29 +143,31 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
extraSecrets = mkOption {
|
extraSecrets = mkOption {
|
||||||
type = types.attrsOf (types.submodule {
|
type = types.attrsOf (
|
||||||
options = {
|
types.submodule {
|
||||||
file = mkOption {
|
options = {
|
||||||
type = types.path;
|
file = mkOption {
|
||||||
description = "Path to the encrypted secret file";
|
type = types.path;
|
||||||
|
description = "Path to the encrypted secret file";
|
||||||
|
};
|
||||||
|
mode = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "0400";
|
||||||
|
description = "Permissions mode for the decrypted secret";
|
||||||
|
};
|
||||||
|
owner = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "root";
|
||||||
|
description = "Owner of the decrypted secret file";
|
||||||
|
};
|
||||||
|
group = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "root";
|
||||||
|
description = "Group of the decrypted secret file";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
mode = mkOption {
|
}
|
||||||
type = types.str;
|
);
|
||||||
default = "0400";
|
|
||||||
description = "Permissions mode for the decrypted secret";
|
|
||||||
};
|
|
||||||
owner = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "root";
|
|
||||||
description = "Owner of the decrypted secret file";
|
|
||||||
};
|
|
||||||
group = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "root";
|
|
||||||
description = "Group of the decrypted secret file";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
default = { };
|
default = { };
|
||||||
description = ''
|
description = ''
|
||||||
Additional secrets to define manually, beyond the auto-discovered ones.
|
Additional secrets to define manually, beyond the auto-discovered ones.
|
||||||
@@ -205,6 +199,8 @@ in
|
|||||||
let
|
let
|
||||||
hasSecrets = (builtins.length (builtins.attrNames applicableSecrets)) > 0;
|
hasSecrets = (builtins.length (builtins.attrNames applicableSecrets)) > 0;
|
||||||
in
|
in
|
||||||
lib.optional (!hasSecrets) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/";
|
lib.optional (
|
||||||
|
!hasSecrets
|
||||||
|
) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user