_utils.setupSecrets

attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers

This is a higher-level setup that wraps around _utils.genSecrets and provides some additional helper functions. Usage of this function should make more sense than just using genSecrets.

Note

<ReturnValue>.generate is not actually a function. The attrset is "already" "rendered" should it be actually resolved by not being ignored by lazy eval. This is essentially equivalent to genSecrets, but is now an inline module that can be put inside an input block instead of being a random attrset.

NOTE: does not support overriding config for only 1 path. might implement when demand arises.

The definition of secretHelpers is defined as follows:

secretHelpers = {
  generate    = {}; # => {sops.secrets.* = <sopsConfig>} (inline module)
  get         = path: ""; # => actual path of the secret, usually /run/secrets/the/secret

  placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.
  getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.
  mkTemplate  = file: content: {}; # => {sops.templates.* = ...;}
  #             ^ => filename of the template. can be any arbitrary string.
}

Example

{ _utils, config, ... }: let
  secrets = _utils.setupSecrets config {
    namespace = "balls";  # for us, the namespace is just the top level element in our secrets yaml file.
    config = {
      owner = "jane";
    };
    secrets = [ "my/definitions/gock" "my/sizes/gock" ];
  };
in {
  imports = [
    secrets.generate
    (secrets.mkTemplate "my-secret.env" ''
      MY_GOCK_SIZE=${secrets.placeholder "my/sizes/gock"}
    '')
  ];

  some.service.settings.gock.file = secrets.get "my/definitions/gock";  # resolves to the path of balls/my/definitions/gock.
  some.service.settings.envFile = secrets.getTemplate "my-secret.env";
}