5a0ae36c85
This makes the secret contract better (IMNSHO): - Improves documentation, explains better the reasoning behind the contract. - Makes it easier to create an option implementing the secret contract.
101 lines
3.3 KiB
Nix
101 lines
3.3 KiB
Nix
{ lib, ... }:
|
|
{
|
|
mkOption =
|
|
{ description,
|
|
mode ? "0400",
|
|
owner ? "root",
|
|
group ? "root",
|
|
restartUnits ? [],
|
|
}: lib.mkOption {
|
|
inherit description;
|
|
|
|
type = lib.types.submodule {
|
|
options = {
|
|
request = lib.mkOption {
|
|
default = {
|
|
inherit mode owner group restartUnits;
|
|
};
|
|
|
|
readOnly = true;
|
|
|
|
description = ''
|
|
Options set by the requester module
|
|
enforcing some properties the secret should have.
|
|
|
|
Use the `contracts.secret.mkOption` function to
|
|
create a secret option for a requester module.
|
|
See the [requester usage section](contracts-secret.html#secret-contract-usage-requester) for an example.
|
|
|
|
Some providers will need more options to be defined and this is allowed.
|
|
These extra options will be set by the user.
|
|
For example, the `sops` implementation requires to be given
|
|
the sops key in which the secret is encrypted.
|
|
|
|
`request` options are set read-only
|
|
because they must be set through option defaults,
|
|
they shouldn't be changed in the `config` section.
|
|
This would otherwise lead to infinite recursion
|
|
during evaluation.
|
|
This is handled automatically when using the `contracts.secret.mkOption` function.
|
|
'';
|
|
type = lib.types.submodule {
|
|
freeformType = lib.types.anything;
|
|
|
|
options = {
|
|
mode = lib.mkOption {
|
|
description = ''
|
|
Mode of the secret file.
|
|
'';
|
|
type = lib.types.str;
|
|
default = mode;
|
|
};
|
|
|
|
owner = lib.mkOption {
|
|
description = ''
|
|
Linux user owning the secret file.
|
|
'';
|
|
type = lib.types.str;
|
|
default = owner;
|
|
};
|
|
|
|
group = lib.mkOption {
|
|
description = ''
|
|
Linux group owning the secret file.
|
|
'';
|
|
type = lib.types.str;
|
|
default = group;
|
|
};
|
|
|
|
restartUnits = lib.mkOption {
|
|
description = ''
|
|
Systemd units to restart after the secret is updated.
|
|
'';
|
|
type = lib.types.listOf lib.types.str;
|
|
default = restartUnits;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
result = lib.mkOption {
|
|
description = ''
|
|
Options set by the provider module that indicates where the secret can be found.
|
|
'';
|
|
type = lib.types.submodule {
|
|
options = {
|
|
path = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = ''
|
|
Path to the file containing the secret generated out of band.
|
|
|
|
This path will exist after deploying to a target host,
|
|
it is not available through the nix store.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|