diff --git a/lib/default.nix b/lib/default.nix index 5459b5e2..ee3ec6ca 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -74,4 +74,53 @@ rec { countAttrs = pred: attrs: lib.count (attr: pred attr.name attr.value) (lib.mapAttrsToList lib.nameValuePair attrs); + + /* Get the secrets from a given sops file. This will set the individual + attributes `sopsFile` with the given file to not interrupt as much as + possible with your own sops-nix workflow. + + Examples: + lib.getSecrets ./sops.yaml { + ssh-key = { }; + "borg/ssh-key" = { }; + "wireguard/private-key" = { + group = config.users.users.systemd-network.group; + reloadUnits = [ "systemd-networkd.service" ]; + mode = "0640"; + }; + } + */ + getSecrets = sopsFile: secrets: + let + getKey = key: { inherit key sopsFile; }; + in + lib.mapAttrs + (path: attrs: + (getKey path) // attrs) + secrets; + + /* Prepend a prefix for the given secrets. This allows a workflow for + separate sops file. + + Examples: + lib.getSecrets ./sops.yaml { + ssh-key = { }; + "borg/ssh-key" = { }; + } // + (lib.getSecrets ./wireguard.yaml + (lib.attachSopsPathPrefix "wireguard" { + "private-key" = { + group = config.users.users.systemd-network.group; + reloadUnits = [ "systemd-networkd.service" ]; + mode = "0640"; + }; + })) + */ + attachSopsPathPrefix = prefix: secrets: + lib.mapAttrs' + (key: settings: + lib.nameValuePair + "${prefix}/${key}" + ({ inherit key; } // settings)) + secrets; } diff --git a/lib/private.nix b/lib/private.nix index f54b16c0..d0786360 100644 --- a/lib/private.nix +++ b/lib/private.nix @@ -27,23 +27,6 @@ rec { getSecret = path: ../secrets/${path}; - getSecrets = sopsFile: secrets: - let - getKey = key: { inherit key sopsFile; }; - in - lib.mapAttrs - (path: attrs: - (getKey path) // attrs) - secrets; - - attachSopsPathPrefix = prefix: secrets: - lib.mapAttrs' - (key: settings: - lib.nameValuePair - "${prefix}/${key}" - ({ inherit key; } // settings)) - secrets; - isInternal = config: config ? _isInsideFds && config._isInsideFds; getUsers = type: users: