options.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38


{ pkgs, lib }:

let
  scriptRegistry = {
    bigsecret = ''head -c 64 /dev/urandom | base32'';
    medsecret = ''head -c 32 /dev/urandom | base32'';
    smallsecret = ''head -c 16 /dev/urandom | base32'';
  };
in {
  secrets.secrets = lib.mkOption {
    description = ''
        A set of secrets, each identified by a name (e.g. mattermost, gitlabce).
        Each secret has a filename and a script to generate it.
    '';
    default = { };
    type = lib.types.attrsOf (lib.types.submodule {
      options = {
        filename = lib.mkOption {
          type = lib.types.str;
          description = ''
            The filename where this secret is stored, all
            files at /etc/nixos/secrets
          '';
          example = "mysecret.key";
        };
        script = lib.mkOption {
          type = lib.types.str;
          description = ''
              Shell command that generates the secret.
          ";
          example = "head -c 32 /dev/urandom | base32";
        };
      };
    });
  };
}