zentralwerk-network-key as flake input

2021-03-19 23:25:31 +01:00 · 2021-03-19 23:25:31 +01:00 · 67298b919e
parent d364011f62
commit 67298b919e
7 changed files with 54 additions and 36 deletions
--- a/flake.nix
+++ b/flake.nix
@ -3,11 +3,10 @@

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs";
-    zentralwerk-network-key.url = "https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key";
-    zentralwerk-network-key.flake = false;
+    zentralwerk-network-key.url = "git+https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key&ref=nix";
  };

-  outputs = { self, nixpkgs }:
+  outputs = { self, nixpkgs, zentralwerk-network-key }:
    let
      system = "x86_64-linux";
      systems = [ system ];
@ -15,7 +14,10 @@
    in
    rec {
      lib =
-        import ./nix/lib { inherit nixpkgs; };
+        import ./nix/lib {
+          inherit nixpkgs;
+          inherit (zentralwerk-network-key.lib) gpgKey;
+        };

      packages = forAllSystems (system:
        import ./nix/pkgs { inherit self nixpkgs system; }
--- a/nix/key/default.nix
+++ b/nix/key/default.nix
@ -1 +0,0 @@
-null
--- a/nix/key/flake.nix
+++ b/nix/key/flake.nix
@ -0,0 +1,7 @@
+{
+  description = "Zentralwerk network secret GPG key";
+
+  outputs = { ... }: {
+    lib.gpgKey = null;
+  };
+}
--- a/nix/lib/config/default.nix
+++ b/nix/lib/config/default.nix
@ -1,4 +1,6 @@
-{ pkgs ? import <nixpkgs> {} }:
+{ pkgs ? import <nixpkgs> {}
+, gpgKey
+}:

 let
  result = pkgs.lib.evalModules {
@ -6,6 +8,18 @@ let
    modules = [
      ./options.nix
      ./legacy.nix
+      (
+        { lib, ... }:
+        with lib;
+        {
+          options.gpgKey = mkOption {
+            type = types.path;
+          };
+          config = {
+            inherit gpgKey;
+          };
+        }
+      )
    ];
  };
 in
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@ -1,7 +1,10 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:

 let
-  pillar = import ./salt-support/salt-pillar.nix { inherit pkgs; };
+  pillar = import ./salt-support/salt-pillar.nix {
+    inherit pkgs;
+    inherit (config) gpgKey;
+  };
 in
 {
  options.salt-pillar = lib.mkOption {};
--- a/nix/lib/config/salt-support/salt-pillar.nix
+++ b/nix/lib/config/salt-support/salt-pillar.nix
@ -1,34 +1,27 @@
-{ pkgs ? import <nixpkgs> {} }:
+{ pkgs ? import <nixpkgs> {}
+, gpgKey
+}:

 with pkgs.lib;
 let
  loadYaml = import ./load-yaml.nix { inherit pkgs; };

-  # Swap with the real one if you don't have the key:
-  decryptMessage = _: "encrypted";
-
-  _decryptMessage = x:
-    let
-      keyFile = requireFile {
-        name = "salt-gpg.asc";
-        sha256 = "";
-        message = ''
-          GPG private key not found.
-
-          If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
-        '';
-      };
-      cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
-        nativeBuildInputs = [ pkgs.gpg ];
-      } ''
-        export GNUPGHOME=$(mktemp -d)
-        gpg --import ${keyFile}
-        gpg -d > $out << EOF
-        ${x}
-        EOF
-      '';
-    in
-      builtins.readFile cleartextFile;
+  decryptMessage =     builtins.trace gpgKey
+    (x:
+      if gpgKey == null
+    then "encrypted"
+    else
+      builtins.readFile (
+        pkgs.runCommandLocal "decrypted-salt-value" {
+          nativeBuildInputs = [ pkgs.gnupg ];
+        } ''
+          export GNUPGHOME=$(mktemp -d)
+          gpg --import ${gpgKey}
+          gpg -d > $out << EOF
+          ${x}
+          EOF
+        ''
+      ));

  decrypt = x:
    if builtins.isString x
--- a/nix/lib/default.nix
+++ b/nix/lib/default.nix
@ -1,10 +1,10 @@
-{ nixpkgs }:
+{ nixpkgs, gpgKey }:

 let
  pkgs = nixpkgs.legacyPackages.x86_64-linux;
 in
 {
-  config = import ./config { inherit pkgs; };
+  config = import ./config { inherit pkgs gpgKey; };

  expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; };