forked from zentralwerk/network
zentralwerk-network-key as flake input
This commit is contained in:
parent
d364011f62
commit
67298b919e
10
flake.nix
10
flake.nix
|
@ -3,11 +3,10 @@
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:nixos/nixpkgs";
|
nixpkgs.url = "github:nixos/nixpkgs";
|
||||||
zentralwerk-network-key.url = "https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key";
|
zentralwerk-network-key.url = "git+https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key&ref=nix";
|
||||||
zentralwerk-network-key.flake = false;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs }:
|
outputs = { self, nixpkgs, zentralwerk-network-key }:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
systems = [ system ];
|
systems = [ system ];
|
||||||
|
@ -15,7 +14,10 @@
|
||||||
in
|
in
|
||||||
rec {
|
rec {
|
||||||
lib =
|
lib =
|
||||||
import ./nix/lib { inherit nixpkgs; };
|
import ./nix/lib {
|
||||||
|
inherit nixpkgs;
|
||||||
|
inherit (zentralwerk-network-key.lib) gpgKey;
|
||||||
|
};
|
||||||
|
|
||||||
packages = forAllSystems (system:
|
packages = forAllSystems (system:
|
||||||
import ./nix/pkgs { inherit self nixpkgs system; }
|
import ./nix/pkgs { inherit self nixpkgs system; }
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
null
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
description = "Zentralwerk network secret GPG key";
|
||||||
|
|
||||||
|
outputs = { ... }: {
|
||||||
|
lib.gpgKey = null;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,6 @@
|
||||||
{ pkgs ? import <nixpkgs> {} }:
|
{ pkgs ? import <nixpkgs> {}
|
||||||
|
, gpgKey
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
result = pkgs.lib.evalModules {
|
result = pkgs.lib.evalModules {
|
||||||
|
@ -6,6 +8,18 @@ let
|
||||||
modules = [
|
modules = [
|
||||||
./options.nix
|
./options.nix
|
||||||
./legacy.nix
|
./legacy.nix
|
||||||
|
(
|
||||||
|
{ lib, ... }:
|
||||||
|
with lib;
|
||||||
|
{
|
||||||
|
options.gpgKey = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
inherit gpgKey;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
)
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
{ pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
pillar = import ./salt-support/salt-pillar.nix { inherit pkgs; };
|
pillar = import ./salt-support/salt-pillar.nix {
|
||||||
|
inherit pkgs;
|
||||||
|
inherit (config) gpgKey;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.salt-pillar = lib.mkOption {};
|
options.salt-pillar = lib.mkOption {};
|
||||||
|
|
|
@ -1,34 +1,27 @@
|
||||||
{ pkgs ? import <nixpkgs> {} }:
|
{ pkgs ? import <nixpkgs> {}
|
||||||
|
, gpgKey
|
||||||
|
}:
|
||||||
|
|
||||||
with pkgs.lib;
|
with pkgs.lib;
|
||||||
let
|
let
|
||||||
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
||||||
|
|
||||||
# Swap with the real one if you don't have the key:
|
decryptMessage = builtins.trace gpgKey
|
||||||
decryptMessage = _: "encrypted";
|
(x:
|
||||||
|
if gpgKey == null
|
||||||
_decryptMessage = x:
|
then "encrypted"
|
||||||
let
|
else
|
||||||
keyFile = requireFile {
|
builtins.readFile (
|
||||||
name = "salt-gpg.asc";
|
pkgs.runCommandLocal "decrypted-salt-value" {
|
||||||
sha256 = "";
|
nativeBuildInputs = [ pkgs.gnupg ];
|
||||||
message = ''
|
} ''
|
||||||
GPG private key not found.
|
export GNUPGHOME=$(mktemp -d)
|
||||||
|
gpg --import ${gpgKey}
|
||||||
If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
|
gpg -d > $out << EOF
|
||||||
'';
|
${x}
|
||||||
};
|
EOF
|
||||||
cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
|
''
|
||||||
nativeBuildInputs = [ pkgs.gpg ];
|
));
|
||||||
} ''
|
|
||||||
export GNUPGHOME=$(mktemp -d)
|
|
||||||
gpg --import ${keyFile}
|
|
||||||
gpg -d > $out << EOF
|
|
||||||
${x}
|
|
||||||
EOF
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
builtins.readFile cleartextFile;
|
|
||||||
|
|
||||||
decrypt = x:
|
decrypt = x:
|
||||||
if builtins.isString x
|
if builtins.isString x
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
{ nixpkgs }:
|
{ nixpkgs, gpgKey }:
|
||||||
|
|
||||||
let
|
let
|
||||||
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = import ./config { inherit pkgs; };
|
config = import ./config { inherit pkgs gpgKey; };
|
||||||
|
|
||||||
expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; };
|
expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; };
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue