107 lines
3.5 KiB
Nix
107 lines
3.5 KiB
Nix
{
|
|
description = "Runtime secrets via OpenBao + Zitadel machine key";
|
|
|
|
inputs = { };
|
|
|
|
outputs = { ... }:
|
|
{
|
|
lib = {
|
|
applyConfigChanges = secrets:
|
|
let
|
|
substitute = secretPath: value:
|
|
if builtins.isAttrs value then
|
|
builtins.mapAttrs (_: v: substitute secretPath v) value
|
|
else if builtins.isList value then
|
|
map (v: substitute secretPath v) value
|
|
else if builtins.isString value then
|
|
builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
|
|
else
|
|
value;
|
|
|
|
deepMerge = a: b:
|
|
if builtins.isAttrs a && builtins.isAttrs b then
|
|
builtins.foldl'
|
|
(acc: key:
|
|
let
|
|
newVal = builtins.getAttr key b;
|
|
mergedVal =
|
|
if builtins.hasAttr key acc then
|
|
deepMerge (builtins.getAttr key acc) newVal
|
|
else
|
|
newVal;
|
|
in
|
|
acc // (builtins.listToAttrs [ { name = key; value = mergedVal; } ])
|
|
)
|
|
a
|
|
(builtins.attrNames b)
|
|
else if builtins.isList a && builtins.isList b then
|
|
a ++ b
|
|
else
|
|
b;
|
|
|
|
fragments = builtins.attrValues (builtins.mapAttrs (
|
|
name: s:
|
|
let
|
|
secretPath = s.path or ("/run/secrets/" + name);
|
|
in
|
|
substitute secretPath (s.configChanges or { })
|
|
) secrets);
|
|
in
|
|
builtins.foldl' deepMerge { } fragments;
|
|
|
|
applyHmChanges = secrets:
|
|
let
|
|
substitute = secretPath: value:
|
|
if builtins.isAttrs value then
|
|
builtins.mapAttrs (_: v: substitute secretPath v) value
|
|
else if builtins.isList value then
|
|
map (v: substitute secretPath v) value
|
|
else if builtins.isString value then
|
|
builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
|
|
else
|
|
value;
|
|
|
|
deepMerge = a: b:
|
|
if builtins.isAttrs a && builtins.isAttrs b then
|
|
builtins.foldl'
|
|
(acc: key:
|
|
let
|
|
newVal = builtins.getAttr key b;
|
|
mergedVal =
|
|
if builtins.hasAttr key acc then
|
|
deepMerge (builtins.getAttr key acc) newVal
|
|
else
|
|
newVal;
|
|
in
|
|
acc // (builtins.listToAttrs [ { name = key; value = mergedVal; } ])
|
|
)
|
|
a
|
|
(builtins.attrNames b)
|
|
else if builtins.isList a && builtins.isList b then
|
|
a ++ b
|
|
else
|
|
b;
|
|
|
|
fragments = builtins.attrValues (builtins.mapAttrs (
|
|
name: s:
|
|
let
|
|
secretPath = s.path or ("/run/secrets/" + name);
|
|
in
|
|
substitute secretPath (s.hmChanges or { })
|
|
) secrets);
|
|
|
|
merged = builtins.foldl' deepMerge { } fragments;
|
|
in
|
|
if merged == { } then
|
|
{ }
|
|
else
|
|
{
|
|
home-manager.sharedModules = [ (_: merged) ];
|
|
};
|
|
};
|
|
|
|
nixosModules = {
|
|
default = import ./nixos-module.nix;
|
|
};
|
|
};
|
|
}
|