make a really fancy test harness for nix module evaluation

I've never done this before and am really proud of the code; I hope the comments help but feel free to ask questions. As you can see by looking at the diffs to `options.nix`, it did catch several issues that had gotten through up to this point. I'm pretty pleased with that. As before, `nix flake check` is all you need to do to run it. Change-Id: I99a550e92d7b4770e52b6aba763cff2bdc4c9287
author: Irene Knapp <ireneista@internetsafetylabs.org> 2025-09-09 20:19:12 -0700
committer: Irene Knapp <ireneista@internetsafetylabs.org> 2025-09-09 20:26:57 -0700
commit: b7887228c4866b16b3d5cf7d923739ed9d7ea104 (patch)
tree: 393c24b32c8663bf9b5f7b4cc64ac10361ef36cf /options.nix
parent: cd82f4a96839ad4b7907e0355a87ded23b5fe584 (diff)
1 files changed, 17 insertions, 12 deletions
diff --git a/options.nix b/options.nix
index 5fa70dc..8531404 100644
--- a/options.nix
+++ b/options.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib }:
+{ config, pkgs, lib, ... }:
 
 {
   options.secrets = {
@@ -47,18 +47,19 @@
       example = {
         mattermost = {
           path = "/etc/nixos/secrets/mattermost.key";
-          script = "touch /etc/nixos/secrets/mattermost.key"
+          script = "touch /etc/nixos/secrets/mattermost.key";
         };
 
         neooffice = {
           path = "/etc/nixos/secrets/neooffice.key";
-          script = "head -c 32 /dev/urandom > /etc/nixos/secrets/neooffice.key"
+          script =
+              "head -c 32 /dev/urandom > /etc/nixos/secrets/neooffice.key";
         };
       };
 
-      type = lib.types.attrsOf lib.types.submodule = {
+      type = lib.types.attrsOf (lib.types.submodule {
         options = {
-          path = {
+          path = lib.mkOption {
             type = lib.types.pathWith {
               absolute = true;
               inStore = false;
@@ -74,7 +75,7 @@
             example = "/etc/nixos/secrets/neooffice.key";
           };
 
-          script = {
+          script = lib.mkOption {
             type = lib.types.lines;
             description = ''
               An internal value which is part of `secrets.export`, used by
@@ -90,18 +91,22 @@
             '';
           };
         };
-      };
+      });
     };
   };
 
-  config.secrets.export = { config, pkgs, ... }:
+  config.secrets.export =
       let exportSecret = name: secret: {
-            path = "/etc/nixos/secrets/${secret.file}";
+            path = "/etc/nixos/secrets/${secret.filename}";
+
+            # In defiance of the usual code style, we leave off the trailing
+            # newline here because that makes life easier when writing test
+            # cases (see `checks.nix`), which would otherwise have to add an
+            # extra one.
             script = ''
               #!${pkgs.bash}/bin/bash
-              ${secret.script}
-            '';
+              ${secret.script}'';
           };
-      in mapAttrs exportSecret config.secrets.secrets;
+      in builtins.mapAttrs exportSecret config.secrets.secrets;
 }
author	Irene Knapp <ireneista@internetsafetylabs.org>	2025-09-09 20:19:12 -0700
committer	Irene Knapp <ireneista@internetsafetylabs.org>	2025-09-09 20:26:57 -0700
commit	b7887228c4866b16b3d5cf7d923739ed9d7ea104 (patch)
tree	393c24b32c8663bf9b5f7b4cc64ac10361ef36cf /options.nix
parent	cd82f4a96839ad4b7907e0355a87ded23b5fe584 (diff)