1 # Extend the Nix interpreter to enable builtins.extraBuiltins,
 
   2 # which provides an unsafe exec.
 
   3 # Useful to get secrets from a local password-store.
 
   4 { config, lib, pkgs, ... }:
 
   5 let cfg = config.nix-plugins;
 
   8     # Wrapper around nix to load extra-builtins.nix with nix-plugins.
 
   9     nix-with-extra-builtins = pkgs.writeShellScriptBin "nix-with-extra-builtins" ''
 
  11        --option plugin-files ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so \
 
  12        --option extra-builtins-file ${cfg.extra-builtins} \
 
  16     # Wrapper around pass to call it with exec in extra-builtins.nix.
 
  17     # Unfortunately it can only load secrets which can be represented as a Nix string,
 
  18     # hence without null-byte and such special characters.
 
  19     nix-pass = pkgs.writeShellScriptBin "nix-pass" ''
 
  22       trap "shred -u $f" EXIT
 
  23       # NOTE: using an envvar removes the trailing newline added by pass generate
 
  24       pass="$(${pkgs.pass}/bin/pass show "$1")"
 
  26       nix-instantiate --eval -E "builtins.readFile $f"
 
  33       ${pkgs.pass}/bin/pass show "$1" |
 
  34       ${pkgs.gnused}/bin/sed \
 
  35        -e 's:\n:\\n:g;s:\r:\\r:g;s:\t:\\t:g;s:":\\":g;1s:^:":;$s:$:":;'
 
  38     # Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
 
  39     # Needed for boot.initrd.network.ssh.host*Key.
 
  40     nix-pass-to-file = pkgs.writeShellScriptBin "nix-pass-to-file" ''
 
  43       ${pkgs.pass}/bin/pass show "$1" |
 
  44       install -D -m 400 /dev/stdin "$2"
 
  45       printf '%s\n' "$PWD/$2"
 
  48     # Wrapper around git to call it with exec in extra-builtins.nix.
 
  49     nix-git = pkgs.writeShellScriptBin "nix-git" ''
 
  51       ${pkgs.git}/bin/git "$@"
 
  55   options.nix-plugins = {
 
  56     enable = lib.mkEnableOption "nix-plugins";
 
  57     extra-builtins = lib.mkOption {
 
  60         pass         = path: exec [ "${nix-pass}/bin/nix-pass" path ];
 
  61         pass-to-file = path: file: exec [ "${nix-pass-to-file}/bin/nix-pass-to-file" path file ];
 
  62         git          = dir: args: exec ([ "${nix-git}/bin/nix-git" (builtins.toPath dir) ] ++ args);
 
  63         git-time     = dir: path: exec [ "${nix-git}/bin/nix-git" (builtins.toPath dir) "log" "-1" "--format=%ct" "--" path ];
 
  66         Content put in extra-builtins.nix for nix-plugins.
 
  68       apply = lines: pkgs.writeText "extra-builtins.nix" (''
 
  76   config = lib.mkIf cfg.enable {
 
  79       plugin-files        = ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so
 
  80       extra-builtins-file = ${cfg.extra-builtins}