1
0
Fork 0
selfhostblocks/modules/contracts/secret.nix

102 lines
3.3 KiB
Nix
Raw Permalink Normal View History

{ lib, ... }:
{
mkOption =
{ description,
mode ? "0400",
owner ? "root",
group ? "root",
restartUnits ? [],
}: lib.mkOption {
inherit description;
type = lib.types.submodule {
options = {
request = lib.mkOption {
default = {
inherit mode owner group restartUnits;
};
readOnly = true;
description = ''
Options set by the requester module
enforcing some properties the secret should have.
Use the `contracts.secret.mkOption` function to
create a secret option for a requester module.
See the [requester usage section](contracts-secret.html#secret-contract-usage-requester) for an example.
Some providers will need more options to be defined and this is allowed.
These extra options will be set by the user.
For example, the `sops` implementation requires to be given
the sops key in which the secret is encrypted.
`request` options are set read-only
because they must be set through option defaults,
they shouldn't be changed in the `config` section.
This would otherwise lead to infinite recursion
during evaluation.
This is handled automatically when using the `contracts.secret.mkOption` function.
'';
type = lib.types.submodule {
freeformType = lib.types.anything;
options = {
mode = lib.mkOption {
description = ''
Mode of the secret file.
'';
type = lib.types.str;
default = mode;
};
owner = lib.mkOption {
description = ''
Linux user owning the secret file.
'';
type = lib.types.str;
default = owner;
};
group = lib.mkOption {
description = ''
Linux group owning the secret file.
'';
type = lib.types.str;
default = group;
};
restartUnits = lib.mkOption {
description = ''
Systemd units to restart after the secret is updated.
'';
type = lib.types.listOf lib.types.str;
default = restartUnits;
};
};
};
};
result = lib.mkOption {
description = ''
Options set by the provider module that indicates where the secret can be found.
'';
type = lib.types.submodule {
options = {
path = lib.mkOption {
type = lib.types.path;
description = ''
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host,
it is not available through the nix store.
'';
};
};
};
};
};
};
};
}