_utils.setupSecrets
attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers
This is a higher-level setup that wraps around _utils.genSecrets
and provides some additional helper functions.
Usage of this function should make more sense than just using genSecrets
.
<ReturnValue>.generate
is not actually a function. The attrset is "already" "rendered" should it be actually
resolved by not being ignored by lazy eval. This is essentially equivalent to genSecrets
, but is now an inline module
that can be put inside an input block instead of being a random attrset.
NOTE: does not support overriding config for only 1 path. might implement when demand arises.
The definition of secretHelpers
is defined as follows:
secretHelpers = {
generate = {}; # => {sops.secrets.* = <sopsConfig>} (inline module)
get = path: ""; # => actual path of the secret, usually /run/secrets/the/secret
placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.
getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.
mkTemplate = file: content: {}; # => {sops.templates.* = ...;}
# ^ => filename of the template. can be any arbitrary string.
}
Example
{ _utils, config, ... }: let
secrets = _utils.setupSecrets config {
namespace = "balls"; # for us, the namespace is just the top level element in our secrets yaml file.
config = {
owner = "jane";
};
secrets = [ "my/definitions/gock" "my/sizes/gock" ];
};
in {
imports = [
secrets.generate
(secrets.mkTemplate "my-secret.env" ''
MY_GOCK_SIZE=${secrets.placeholder "my/sizes/gock"}
'')
];
some.service.settings.gock.file = secrets.get "my/definitions/gock"; # resolves to the path of balls/my/definitions/gock.
some.service.settings.envFile = secrets.getTemplate "my-secret.env";
}