From b7887228c4866b16b3d5cf7d923739ed9d7ea104 Mon Sep 17 00:00:00 2001
From: Irene Knapp <ireneista@internetsafetylabs.org>
Date: Tue, 9 Sep 2025 20:19:12 -0700
Subject: make a really fancy test harness for nix module evaluation

I've never done this before and am really proud of the code; I hope the
comments help but feel free to ask questions.

As you can see by looking at the diffs to `options.nix`, it did catch
several issues that had gotten through up to this point. I'm pretty
pleased with that. As before, `nix flake check` is all you need to do to
run it.

Change-Id: I99a550e92d7b4770e52b6aba763cff2bdc4c9287
---
 options.nix | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

(limited to 'options.nix')

diff --git a/options.nix b/options.nix
index 5fa70dc..8531404 100644
--- a/options.nix
+++ b/options.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib }:
+{ config, pkgs, lib, ... }:
 
 {
   options.secrets = {
@@ -47,18 +47,19 @@
       example = {
         mattermost = {
           path = "/etc/nixos/secrets/mattermost.key";
-          script = "touch /etc/nixos/secrets/mattermost.key"
+          script = "touch /etc/nixos/secrets/mattermost.key";
         };
 
         neooffice = {
           path = "/etc/nixos/secrets/neooffice.key";
-          script = "head -c 32 /dev/urandom > /etc/nixos/secrets/neooffice.key"
+          script =
+              "head -c 32 /dev/urandom > /etc/nixos/secrets/neooffice.key";
         };
       };
 
-      type = lib.types.attrsOf lib.types.submodule = {
+      type = lib.types.attrsOf (lib.types.submodule {
         options = {
-          path = {
+          path = lib.mkOption {
             type = lib.types.pathWith {
               absolute = true;
               inStore = false;
@@ -74,7 +75,7 @@
             example = "/etc/nixos/secrets/neooffice.key";
           };
 
-          script = {
+          script = lib.mkOption {
             type = lib.types.lines;
             description = ''
               An internal value which is part of `secrets.export`, used by
@@ -90,18 +91,22 @@
             '';
           };
         };
-      };
+      });
     };
   };
 
-  config.secrets.export = { config, pkgs, ... }:
+  config.secrets.export =
       let exportSecret = name: secret: {
-            path = "/etc/nixos/secrets/${secret.file}";
+            path = "/etc/nixos/secrets/${secret.filename}";
+
+            # In defiance of the usual code style, we leave off the trailing
+            # newline here because that makes life easier when writing test
+            # cases (see `checks.nix`), which would otherwise have to add an
+            # extra one.
             script = ''
               #!${pkgs.bash}/bin/bash
-              ${secret.script}
-            '';
+              ${secret.script}'';
           };
-      in mapAttrs exportSecret config.secrets.secrets;
+      in builtins.mapAttrs exportSecret config.secrets.secrets;
 }
 
-- 
cgit 1.4.1