shell/modules/development/libraries/nix-plugins.nix

   1 # Extend the Nix interpreter to enable builtins.extraBuiltins,
   2 # which provides an unsafe exec.
   3 # Useful to get secrets from a local password-store.
   4 { config, lib, pkgs, ... }:
   5 let cfg = config.nix-plugins;
   6     inherit (lib) types;
   7
   8     /*
   9     # Wrapper around nix to load extra-builtins.nix with nix-plugins.
  10     nix-with-extra-builtins = pkgs.writeShellScriptBin "nix-with-extra-builtins" ''
  11       ${pkgs.nix}/bin/nix \
  12        --option plugin-files ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so \
  13        --option extra-builtins-file ${cfg.extra-builtins} \
  14        "$@"
  15     '';
  16     */
  17
  18     # Wrapper around pass to call it with exec in extra-builtins.nix.
  19     # Unfortunately it can only load secrets which can be represented as a Nix string,
  20     # hence without null-byte and such special characters.
  21     # FIXME: make a nix-pass-chomp
  22     nix-pass = pkgs.writeShellScript "nix-pass" ''
  23       set -e
  24       f=$(mktemp)
  25       trap "shred -u $f" EXIT
  26       # NOTE: using an envvar removes the trailing newline added by pass generate
  27       pass="$(${pkgs.pass}/bin/pass show "$1")"
  28       printf %s "$pass" >$f
  29       nix-instantiate --eval -E "builtins.readFile $f"
  30     '';
  31     /*
  32       nix-store --add $f
  33     */
  34     /*
  35       set -o pipefail
  36       ${pkgs.pass}/bin/pass show "$1" |
  37       ${pkgs.gnused}/bin/sed \
  38        -e 's:\n:\\n:g;s:\r:\\r:g;s:\t:\\t:g;s:":\\":g;1s:^:":;$s:$:":;'
  39     */
  40
  41     # Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
  42     # Needed for boot.initrd.network.ssh.host*Key.
  43     nix-pass-to-file = pkgs.writeShellScript "nix-pass-to-file" ''
  44       set -e
  45       set -o pipefail
  46       cd "$PWD"
  47       ${pkgs.pass}/bin/pass show "$1" |
  48       install -D -m 400 /dev/stdin "$2"
  49       printf '%s\n' "$2"
  50     '';
  51
  52     # Wrapper around git to call it with exec in extra-builtins.nix.
  53     nix-git = pkgs.writeShellScript "nix-git" ''
  54       cd "$1"; shift
  55       ${pkgs.git}/bin/git "$@"
  56     '';
  57 in
  58 {
  59   options.nix-plugins = {
  60     enable = lib.mkEnableOption "nix-plugins";
  61     extra-builtins = lib.mkOption {
  62       type = types.lines;
  63       default = ''
  64         pass         = path: exec [ "${nix-pass}" path ];
  65         pass-to-file = path: name: exec [ "${nix-pass-to-file}" path name ];
  66         git          = dir: args: exec ([ "${nix-git}" (builtins.toPath dir) ] ++ args);
  67         git-time     = dir: path: exec [ "${nix-git}" (builtins.toPath dir) "log" "-1" "--format=%ct" "--" path ];
  68       '';
  69       description = ''
  70         Content put in extra-builtins.nix for nix-plugins.
  71       '';
  72       apply = lines: pkgs.writeText "extra-builtins.nix" (''
  73         { exec, ... }:
  74         {
  75         '' + lines + ''
  76         }
  77       '');
  78     };
  79   };
  80   config = lib.mkIf cfg.enable {
  81     nix.enable = true;
  82     nix.nixConf = ''
  83       plugin-files        = ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so
  84       extra-builtins-file = ${cfg.extra-builtins}
  85     '';
  86   };
  87 }