56 lines
1.3 KiB
Nix
56 lines
1.3 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.xyno.secrets;
|
|
json = builtins.toJSON cfg;
|
|
|
|
in
|
|
{
|
|
options.xyno.secret-output = lib.mkOption {
|
|
type = types.str;
|
|
};
|
|
options.xyno.secrets = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule {
|
|
options = {
|
|
random = mkOption {
|
|
type = types.nullOr types.int;
|
|
default = null;
|
|
description = ''
|
|
have the secret be a random hex string with n bytes
|
|
'';
|
|
};
|
|
ageFile = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
have the secret be a age encrypted file
|
|
'';
|
|
};
|
|
command = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
have the secret be the output of a command (impure grrrrr)
|
|
'';
|
|
};
|
|
};
|
|
}
|
|
);
|
|
};
|
|
config = {
|
|
systemd.tpm2.enable = true;
|
|
boot.initrd.systemd.tpm2.enable = true;
|
|
# TODO: ensure secrets are loaded in activation script
|
|
|
|
xyno.secret-output = pkgs.writeFile "xyno-secret.json" json;
|
|
environment.systemPackages = [
|
|
pkgs.openssl # needed for random secrets
|
|
];
|
|
};
|
|
}
|