nixos-config/modules/secrets.nix

{ pkgs, config, lib, inputs, ... }:
with lib;
with types;
let
  secret = description:
  mkOption {
    inherit description;
    type = nullOr str;
  };
  mkCredOption = service: extra:
  mkOption {
    description = "Credentials for ${service}";
    type = nullOr (submodule {
      options = {
        user = mkOption {
          type = str;
          description = "Username for ${service}";
        };
        password = mkOption {
          type = str;
          description = "Password for ${service}";
        };
      } // extra;
    });
  };
in rec {
  options.secrets = {
    owm-key = secret "OpenWeatherMap key";
    irc = mkCredOption "IRC (konversation)" { };
    slack-term = mkOption { type = str; };
    yt-utilities = {
      user = secret "youtrack user";
      url = secret "youtrack url";
      token =  secret "youtrack token";
      source = {
        url = secret "A url to yt-utilities source";
        rev = secret "revision";
        sha256 = secret "sha256";
      };
    };
    wage = secret "wage (sum CURRENCY/TIME, like 10EUR/h)";
    gcal = {
      email = mkOption { type = lib.types.str; };
      client-id = mkOption { type = lib.types.str; };
      client-secret = mkOption { type = lib.types.str; };
      refresh-token = mkOption { type = lib.types.str; };
    };
    mail = mkCredOption "email" {
      host = mkOption {
        type = str;
        description = "Mail server";
      };
    };
    gpmusic = mkCredOption "Google Play Music (mopidy)" {
      deviceid = mkOption {
        type = str;
        description = "Android device ID";
      };
    };
    openvpn = mkCredOption "openvpn" {};
    rclone = mkOption {
      type = nullOr str;
      description = "Rclone config";
    };
    ssl = rec {
      cert = mkOption {
        type = nullOr str;
        description = "SSL certificate";
      };
      priv = mkOption {
        type = nullOr str;
        description = "SSL RSA private key";
      };
    };
    matrix = mkCredOption "matrix" rec {
      shared_secret = mkOption {
        type = nullOr str;
        description = "A shared secret for matrix instance";
      };
      mautrix-whatsapp = {
        config = mkOption {
          type = attrs;
        };
        registration = mkOption {
          type = attrs;
        };
      };
      mautrix-telegram = mautrix-whatsapp;
    };
  };
  config = let
    unlocked = import (pkgs.runCommand "check-secret" {} "set +e; grep -qI . ${../secret.nix}; echo $? > $out") == 0;
    secretnix = import ../secret.nix;
    secrets = if ! unlocked || isNull secretnix then
      mapAttrs (n: v: null) options.secrets
    else
      secretnix;
  in { inherit secrets; };
}
flake 2020-04-27 05:39:00 +04:00			`{ pkgs, config, lib, inputs, ... }:`
Update passwords 2020-02-17 17:00:59 +04:00			`with lib;`
			`with types;`
			`let`
			`secret = description:`
			`mkOption {`
			`inherit description;`
			`type = nullOr str;`
			`};`
			`mkCredOption = service: extra:`
			`mkOption {`
			`description = "Credentials for ${service}";`
			`type = nullOr (submodule {`
			`options = {`
			`user = mkOption {`
			`type = str;`
			`description = "Username for ${service}";`
			`};`
			`password = mkOption {`
			`type = str;`
			`description = "Password for ${service}";`
			`};`
			`} // extra;`
			`});`
			`};`
			`in rec {`
			`options.secrets = {`
			`owm-key = secret "OpenWeatherMap key";`
			`irc = mkCredOption "IRC (konversation)" { };`
			`slack-term = mkOption { type = str; };`
			`yt-utilities = {`
			`user = secret "youtrack user";`
			`url = secret "youtrack url";`
			`token = secret "youtrack token";`
			`source = {`
			`url = secret "A url to yt-utilities source";`
			`rev = secret "revision";`
			`sha256 = secret "sha256";`
			`};`
			`};`
			`wage = secret "wage (sum CURRENCY/TIME, like 10EUR/h)";`
			`gcal = {`
			`email = mkOption { type = lib.types.str; };`
			`client-id = mkOption { type = lib.types.str; };`
			`client-secret = mkOption { type = lib.types.str; };`
			`refresh-token = mkOption { type = lib.types.str; };`
			`};`
			`mail = mkCredOption "email" {`
			`host = mkOption {`
			`type = str;`
			`description = "Mail server";`
			`};`
			`};`
			`gpmusic = mkCredOption "Google Play Music (mopidy)" {`
			`deviceid = mkOption {`
			`type = str;`
			`description = "Android device ID";`
			`};`
			`};`
			`openvpn = mkCredOption "openvpn" {};`
			`rclone = mkOption {`
			`type = nullOr str;`
			`description = "Rclone config";`
			`};`
			`ssl = rec {`
			`cert = mkOption {`
			`type = nullOr str;`
			`description = "SSL certificate";`
			`};`
			`priv = mkOption {`
			`type = nullOr str;`
			`description = "SSL RSA private key";`
			`};`
			`};`
			`matrix = mkCredOption "matrix" rec {`
			`shared_secret = mkOption {`
			`type = nullOr str;`
			`description = "A shared secret for matrix instance";`
			`};`
			`mautrix-whatsapp = {`
			`config = mkOption {`
			`type = attrs;`
			`};`
			`registration = mkOption {`
			`type = attrs;`
			`};`
			`};`
			`mautrix-telegram = mautrix-whatsapp;`
			`};`
			`};`
			`config = let`
Handle locked secret.nix 2020-04-29 02:50:53 +04:00			`unlocked = import (pkgs.runCommand "check-secret" {} "set +e; grep -qI . ${../secret.nix}; echo $? > $out") == 0;`
Finalize flake 2020-04-27 05:41:54 +04:00			`secretnix = import ../secret.nix;`
Handle locked secret.nix 2020-04-29 02:50:53 +04:00			`secrets = if ! unlocked \|\| isNull secretnix then`
Update passwords 2020-02-17 17:00:59 +04:00			`mapAttrs (n: v: null) options.secrets`
			`else`
			`secretnix;`
			`in { inherit secrets; };`
			`}`