_utils.setupSecrets
attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers
This is a higher-level setup that wraps around _utils.genSecrets and provides some additional helper functions.
Usage of this function should make more sense than just using genSecrets.
<ReturnValue>.generate is not actually a function. The attrset is "already" "rendered" should it be actually
resolved by not being ignored by lazy eval. This is essentially equivalent to genSecrets, but is now an inline module
that can be put inside an input block instead of being a random attrset.
NOTE: does not support overriding config for only 1 path. might implement when demand arises.
The definition of secretHelpers is defined as follows:
secretHelpers = {
generate = {}; # => {sops.secrets.* = <sopsConfig>} (inline module)
get = path: ""; # => actual path of the secret, usually /run/secrets/the/secret
placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.
getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.
mkTemplate = file: content: {}; # => {sops.templates.* = ...;}
# ^ => filename of the template. can be any arbitrary string.
}
Example
{ _utils, config, ... }: let
secrets = _utils.setupSecrets config {
namespace = "balls"; # for us, the namespace is just the top level element in our secrets yaml file.
config = {
owner = "jane";
};
secrets = [ "my/definitions/gock" "my/sizes/gock" ];
};
in {
imports = [
secrets.generate
(secrets.mkTemplate "my-secret.env" ''
MY_GOCK_SIZE=${secrets.placeholder "my/sizes/gock"}
'')
];
some.service.settings.gock.file = secrets.get "my/definitions/gock"; # resolves to the path of balls/my/definitions/gock.
some.service.settings.envFile = secrets.getTemplate "my-secret.env";
}