zentralwerk-network-key as flake input
This commit is contained in:
parent
d364011f62
commit
67298b919e
10
flake.nix
10
flake.nix
|
@ -3,11 +3,10 @@
|
|||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs";
|
||||
zentralwerk-network-key.url = "https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key";
|
||||
zentralwerk-network-key.flake = false;
|
||||
zentralwerk-network-key.url = "git+https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key&ref=nix";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs }:
|
||||
outputs = { self, nixpkgs, zentralwerk-network-key }:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
systems = [ system ];
|
||||
|
@ -15,7 +14,10 @@
|
|||
in
|
||||
rec {
|
||||
lib =
|
||||
import ./nix/lib { inherit nixpkgs; };
|
||||
import ./nix/lib {
|
||||
inherit nixpkgs;
|
||||
inherit (zentralwerk-network-key.lib) gpgKey;
|
||||
};
|
||||
|
||||
packages = forAllSystems (system:
|
||||
import ./nix/pkgs { inherit self nixpkgs system; }
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
null
|
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
description = "Zentralwerk network secret GPG key";
|
||||
|
||||
outputs = { ... }: {
|
||||
lib.gpgKey = null;
|
||||
};
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
{ pkgs ? import <nixpkgs> {} }:
|
||||
{ pkgs ? import <nixpkgs> {}
|
||||
, gpgKey
|
||||
}:
|
||||
|
||||
let
|
||||
result = pkgs.lib.evalModules {
|
||||
|
@ -6,6 +8,18 @@ let
|
|||
modules = [
|
||||
./options.nix
|
||||
./legacy.nix
|
||||
(
|
||||
{ lib, ... }:
|
||||
with lib;
|
||||
{
|
||||
options.gpgKey = mkOption {
|
||||
type = types.path;
|
||||
};
|
||||
config = {
|
||||
inherit gpgKey;
|
||||
};
|
||||
}
|
||||
)
|
||||
];
|
||||
};
|
||||
in
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
pillar = import ./salt-support/salt-pillar.nix { inherit pkgs; };
|
||||
pillar = import ./salt-support/salt-pillar.nix {
|
||||
inherit pkgs;
|
||||
inherit (config) gpgKey;
|
||||
};
|
||||
in
|
||||
{
|
||||
options.salt-pillar = lib.mkOption {};
|
||||
|
|
|
@ -1,34 +1,27 @@
|
|||
{ pkgs ? import <nixpkgs> {} }:
|
||||
{ pkgs ? import <nixpkgs> {}
|
||||
, gpgKey
|
||||
}:
|
||||
|
||||
with pkgs.lib;
|
||||
let
|
||||
loadYaml = import ./load-yaml.nix { inherit pkgs; };
|
||||
|
||||
# Swap with the real one if you don't have the key:
|
||||
decryptMessage = _: "encrypted";
|
||||
|
||||
_decryptMessage = x:
|
||||
let
|
||||
keyFile = requireFile {
|
||||
name = "salt-gpg.asc";
|
||||
sha256 = "";
|
||||
message = ''
|
||||
GPG private key not found.
|
||||
|
||||
If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix.
|
||||
'';
|
||||
};
|
||||
cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" {
|
||||
nativeBuildInputs = [ pkgs.gpg ];
|
||||
} ''
|
||||
export GNUPGHOME=$(mktemp -d)
|
||||
gpg --import ${keyFile}
|
||||
gpg -d > $out << EOF
|
||||
${x}
|
||||
EOF
|
||||
'';
|
||||
in
|
||||
builtins.readFile cleartextFile;
|
||||
decryptMessage = builtins.trace gpgKey
|
||||
(x:
|
||||
if gpgKey == null
|
||||
then "encrypted"
|
||||
else
|
||||
builtins.readFile (
|
||||
pkgs.runCommandLocal "decrypted-salt-value" {
|
||||
nativeBuildInputs = [ pkgs.gnupg ];
|
||||
} ''
|
||||
export GNUPGHOME=$(mktemp -d)
|
||||
gpg --import ${gpgKey}
|
||||
gpg -d > $out << EOF
|
||||
${x}
|
||||
EOF
|
||||
''
|
||||
));
|
||||
|
||||
decrypt = x:
|
||||
if builtins.isString x
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
{ nixpkgs }:
|
||||
{ nixpkgs, gpgKey }:
|
||||
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
||||
in
|
||||
{
|
||||
config = import ./config { inherit pkgs; };
|
||||
config = import ./config { inherit pkgs gpgKey; };
|
||||
|
||||
expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; };
|
||||
|
||||
|
|
Loading…
Reference in New Issue