shell/modules/development/libraries/nix-plugins.nix

   1 # Extend the Nix interpreter to enable builtins.extraBuiltins,
   2 # which provides an unsafe exec.
   3 # Useful to get secrets from a local password-store.
   4 { config, lib, pkgs, ... }:
   5 let cfg = config.nix-plugins;
   6     inherit (lib) types;
   7
   8     /*
   9     # Wrapper around nix to load extra-builtins.nix with nix-plugins.
  10     nix-with-extra-builtins = pkgs.writeShellScriptBin "nix-with-extra-builtins" ''
  11       ${pkgs.nix}/bin/nix \
  12        --option plugin-files ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so \
  13        --option extra-builtins-file ${cfg.extra-builtins} \
  14        "$@"
  15     '';
  16     */
  17
  18     # Wrapper around pass to call it with exec in extra-builtins.nix.
  19     # Unfortunately it can only load secrets which can be represented as a Nix string,
  20     # hence without null-byte and such special characters.
  21     # FIXME: make a nix-pass-chomp
  22     nix-pass = pkgs.writeShellScript "nix-pass" ''
  23       set -e
  24       f=$(mktemp)
  25       trap "shred -u $f" EXIT
  26       ${pkgs.pass}/bin/pass show "$1" >"$f"
  27       nix-instantiate --eval -E "builtins.readFile $f"
  28     '';
  29     # Like nix-pass but remove the trailing spaces and newlines at the end of the content.
  30     nix-pass-chomp = pkgs.writeShellScript "nix-pass-chomp" ''
  31       set -e
  32       f=$(mktemp)
  33       trap "shred -u $f" EXIT
  34       pass="$(${pkgs.pass}/bin/pass show "$1")"
  35       printf %s "$pass" >"$f"
  36       nix-instantiate --eval -E "builtins.readFile $f"
  37     '';
  38
  39     # Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
  40     # Needed for boot.initrd.network.ssh.host*Key.
  41     nix-pass-to-file = pkgs.writeShellScript "nix-pass-to-file" ''
  42       set -e
  43       set -o pipefail
  44       ${pkgs.pass}/bin/pass show "$1" |
  45       install -D -m 400 /dev/stdin "$2"
  46       printf '%s\n' "$2"
  47     '';
  48
  49     # Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
  50     # Needed for boot.initrd.network.ssh.host*Key.
  51     nix-pass-to-store = pkgs.writeShellScript "nix-pass-to-store" ''
  52       set -e
  53       ${pkgs.pass}/bin/pass show "$1" >"$f"
  54       nix-store --add "$f"
  55     '';
  56
  57     # Wrapper around git to call it with exec in extra-builtins.nix.
  58     nix-git = pkgs.writeShellScript "nix-git" ''
  59       cd "$1"; shift
  60       ${pkgs.git}/bin/git "$@"
  61     '';
  62 in
  63 {
  64   options.nix-plugins = {
  65     enable = lib.mkEnableOption "nix-plugins";
  66     extra-builtins = lib.mkOption {
  67       type = types.lines;
  68       default = ''
  69         pass         = path: exec [ "${nix-pass}" path ];
  70         pass-chomp   = path: exec [ "${nix-pass-chomp}" path ];
  71         pass-to-file = path: name: exec [ "${nix-pass-to-file}" path name ];
  72         git          = dir: args: exec ([ "${nix-git}" dir ] ++ args);
  73         git-time     = dir: path: exec [ "${nix-git}" dir "log" "-1" "--format=%ct" "--" path ];
  74         gpg          = args: exec ([ "${pkgs.gnupg}/bin/gpg" ] ++ args);
  75       '';
  76       description = ''
  77         Content put in extra-builtins.nix for nix-plugins.
  78       '';
  79       apply = lines: pkgs.writeText "extra-builtins.nix" (''
  80         { exec, ... }:
  81         {
  82         '' + lines + ''
  83         }
  84       '');
  85     };
  86   };
  87   config = lib.mkIf cfg.enable {
  88     nix.enable = true;
  89     nix.nixConf = ''
  90       plugin-files        = ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so
  91       extra-builtins-file = ${cfg.extra-builtins}
  92     '';
  93   };
  94 }