checks: add age dummy secrets NixOS module

2023-09-03 21:18:50 +02:00 · 2023-09-03 21:18:50 +02:00 · 0025a4bb2a
commit 0025a4bb2a
parent 1b3a990866
1 changed files with 33 additions and 0 deletions
--- a/packages/checks/modules/nixos/age-dummy-secrets.nix
+++ b/packages/checks/modules/nixos/age-dummy-secrets.nix
@ -0,0 +1,33 @@
+{ config, lib, ... }:
+with lib;
+
+let
+  t = {
+    string = default: mkOption {
+      type = types.str;
+      inherit default;
+    };
+  };
+in
+
+{
+  options.age.secrets = mkOption {
+    type = types.attrsOf (types.submodule ({ name, config, ... }: {
+      options = {
+        file = mkSinkUndeclaredOptions {};
+        owner = t.string "root";
+        group = t.string "root";
+        mode = t.string "400";
+        path = t.string "/etc/dummy-secrets/${name}";
+      };
+    }));
+  };
+  config.environment.etc = mapAttrs' (name: secret: {
+    name = removePrefix "/etc/" secret.path;
+    value = mapAttrs (const mkDefault) {
+      user = secret.owner;
+      inherit (secret) mode group;
+      text = builtins.hashString "md5" name;
+    };
+  }) config.age.secrets;
+}