Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support rules from flake outputs (nixosConfigurations) #52

Open
pinpox opened this issue Nov 22, 2021 · 2 comments
Open

Support rules from flake outputs (nixosConfigurations) #52

pinpox opened this issue Nov 22, 2021 · 2 comments
Labels
enhancement New feature or request

Comments

@pinpox
Copy link

pinpox commented Nov 22, 2021
edited
Loading

Just an idea I wanted to propose:

Would it be possible to support reading rules from another flake's output instead of a separate secrets.nix file?
E.g. If I have a flake defining my systems like this:

{
  outputs = { self, nixpkgs }: {

    nixosConfigurations = {
      system1 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ({ pkgs, ... }:
            {
              # Config ...
              age.option-to-set-key = "ssh-ed25519 AAAAAAA...";
              age.secrets.secret1.file = ./secrets/secret1.age;
              age.secrets.secret2.file = ./secrets/secret2.age;
            })
        ];
      };

      system2 = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ({ pkgs, ... }:
            {
              # Config
              age.option-to-set-key = "ssh-ed25519 AAAABBB...";
              age.secrets.secret2.file = ./secrets/secret2.age;
            })
        ];
      };
    };
  };
}

nixosConfigurations could be used directly resulting in a rule set equivalent to:

let
  system1 = "ssh-ed25519 AAAAAAA..";
  system2 = "ssh-ed25519 AAAABBB..";
in
{
  "secret1.age".publicKeys = [ system1 ];
  "secret2.age".publicKeys = [ system1 system2];
}

Since you only plan on supporting flakes it seems like an extra step to have to write a secrets.nix file, as the information is already present in an organized form. The --rules flag of ragenix could be expanded do accept a flake path or an additional flag (e.g. --flake) implemented the same way as other tools like nixos-rebuild have.

I might have not considered something, let me know what you think or if this is a bad idea. This could even serve as an alternative for #48, as there would no longer be a reason to have globs since you don't need to define the rules at all.
@veehaitch veehaitch added the enhancement New feature or request label Nov 22, 2021
@veehaitch
Copy link
Member

Thanks for your proposal!

I already thought about having something similar. Currently, the secrets.nix schema does not accept arguments as (r)agenix is not aware of any (flake) inputs. This means, one cannot even use lib and friends. On the other hand, we'd like to avoid breaking compatibility to agenix. Your proposal to extend the NixOS module and read the configuration from ragenix could be a good idea, although I haven't thought it through entirely.

@blaggacao blaggacao mentioned this issue Dec 16, 2021
Closed
@blaggacao
Copy link
Contributor

This probably should be discussed upstream.

@blaggacao blaggacao mentioned this issue Dec 16, 2021
Open
@pinpox pinpox mentioned this issue Dec 27, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pinpox @blaggacao @veehaitch