zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

zentralwerk-network-key as flake input

This commit is contained in:
Astro 2021-03-19 23:25:31 +01:00
parent d364011f62
commit 67298b919e
7 changed files with 54 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
flake.nix
View File

@ -3,11 +3,10 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs"; nixpkgs.url = "github:nixos/nixpkgs";
zentralwerk-network-key.url = "https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key"; zentralwerk-network-key.url = "git+https://gitea.c3d2.de/zentralwerk/network.git?dir=nix/key&ref=nix";
zentralwerk-network-key.flake = false;
}; };
outputs = { self, nixpkgs }: outputs = { self, nixpkgs, zentralwerk-network-key }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
systems = [ system ]; systems = [ system ];
@ -15,7 +14,10 @@
in in
rec { rec {
lib = lib =
import ./nix/lib { inherit nixpkgs; }; import ./nix/lib {
inherit nixpkgs;
inherit (zentralwerk-network-key.lib) gpgKey;
};
packages = forAllSystems (system: packages = forAllSystems (system:
import ./nix/pkgs { inherit self nixpkgs system; } import ./nix/pkgs { inherit self nixpkgs system; }

1
nix/key/default.nix
View File

@ -1 +0,0 @@
null

7
nix/key/flake.nix Normal file
View File

@ -0,0 +1,7 @@
{
description = "Zentralwerk network secret GPG key";
outputs = { ... }: {
lib.gpgKey = null;
};
}

16
nix/lib/config/default.nix
View File

@ -1,4 +1,6 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs ? import <nixpkgs> {}
, gpgKey
}:
let let
result = pkgs.lib.evalModules { result = pkgs.lib.evalModules {
@ -6,6 +8,18 @@ let
modules = [ modules = [
./options.nix ./options.nix
./legacy.nix ./legacy.nix
(
{ lib, ... }:
with lib;
{
options.gpgKey = mkOption {
type = types.path;
};
config = {
inherit gpgKey;
};
}
)
]; ];
}; };
in in

7
nix/lib/config/legacy.nix
View File

@ -1,7 +1,10 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
pillar = import ./salt-support/salt-pillar.nix { inherit pkgs; }; pillar = import ./salt-support/salt-pillar.nix {
inherit pkgs;
inherit (config) gpgKey;
};
in in
{ {
options.salt-pillar = lib.mkOption {}; options.salt-pillar = lib.mkOption {};

45
nix/lib/config/salt-support/salt-pillar.nix
View File

@ -1,34 +1,27 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs ? import <nixpkgs> {}
, gpgKey
}:
with pkgs.lib; with pkgs.lib;
let let
loadYaml = import ./load-yaml.nix { inherit pkgs; }; loadYaml = import ./load-yaml.nix { inherit pkgs; };
# Swap with the real one if you don't have the key: decryptMessage = builtins.trace gpgKey
decryptMessage = _: "encrypted"; (x:
if gpgKey == null
_decryptMessage = x: then "encrypted"
let else
keyFile = requireFile { builtins.readFile (
name = "salt-gpg.asc"; pkgs.runCommandLocal "decrypted-salt-value" {
sha256 = ""; nativeBuildInputs = [ pkgs.gnupg ];
message = '' } ''
GPG private key not found. export GNUPGHOME=$(mktemp -d)
gpg --import ${gpgKey}
If you still want to build the scripts, search "#decryptMessage" in salt-pillar.nix. gpg -d > $out << EOF
''; ${x}
}; EOF
cleartextFile = pkgs.runCommandLocal "decrypted-salt-value" { ''
nativeBuildInputs = [ pkgs.gpg ]; ));
} ''
export GNUPGHOME=$(mktemp -d)
gpg --import ${keyFile}
gpg -d > $out << EOF
${x}
EOF
'';
in
builtins.readFile cleartextFile;
decrypt = x: decrypt = x:
if builtins.isString x if builtins.isString x

4
nix/lib/default.nix
View File

@ -1,10 +1,10 @@
{ nixpkgs }: { nixpkgs, gpgKey }:
let let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
in in
{ {
config = import ./config { inherit pkgs; }; config = import ./config { inherit pkgs gpgKey; };
expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; }; expandSaltTemplate = import ./config/salt-support/expand-template.nix { inherit pkgs; };