]> Git — Sourcephile - sourcephile-nix.git/blob - shell/modules/development/libraries/nix-plugins.nix
Add given password for hosts/mermet/knot/sourcephile.fr/lebureau.conf to store.
[sourcephile-nix.git] / shell / modules / development / libraries / nix-plugins.nix
1 # Extend the Nix interpreter to enable builtins.extraBuiltins,
2 # which provides an unsafe exec.
3 # Useful to get secrets from a local password-store.
4 { config, lib, pkgs, ... }:
5 let
6 cfg = config.nix-plugins;
7 inherit (lib) types;
8
9 /*
10 # Wrapper around nix to load extra-builtins.nix with nix-plugins.
11 nix-with-extra-builtins = pkgs.writeShellScriptBin "nix-with-extra-builtins" ''
12 ${pkgs.nix}/bin/nix \
13 --option plugin-files ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so \
14 --option extra-builtins-file ${cfg.extra-builtins} \
15 "$@"
16 '';
17 */
18
19 # Wrapper around pass to call it with exec in extra-builtins.nix.
20 # Unfortunately it can only load secrets which can be represented as a Nix string,
21 # hence without null-byte and such special characters.
22 # FIXME: make a nix-pass-chomp
23 nix-pass = pkgs.writeShellScript "nix-pass" ''
24 set -e
25 f=$(mktemp)
26 trap "shred -u $f" EXIT
27 ${pkgs.pass}/bin/pass show "$1" >"$f"
28 nix-instantiate --eval -E "builtins.readFile $f"
29 '';
30 # Like nix-pass but remove the trailing spaces and newlines at the end of the content.
31 nix-pass-chomp = pkgs.writeShellScript "nix-pass-chomp" ''
32 set -e
33 f=$(mktemp)
34 trap "shred -u $f" EXIT
35 pass="$(${pkgs.pass}/bin/pass show "$1")"
36 printf %s "$pass" >"$f"
37 nix-instantiate --eval -E "builtins.readFile $f"
38 '';
39
40 # Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
41 # Needed for boot.initrd.network.ssh.host*Key.
42 nix-pass-to-file = pkgs.writeShellScript "nix-pass-to-file" ''
43 set -e
44 set -o pipefail
45 ${pkgs.pass}/bin/pass show "$1" |
46 install -D -m 400 /dev/stdin "$2"
47 printf '%s\n' "$2"
48 '';
49
50 # Wrapper around pass to call it with exec in extra-builtins.nix and put the output in a file.
51 # Needed for boot.initrd.network.ssh.host*Key.
52
53 # Wrapper around git to call it with exec in extra-builtins.nix.
54 nix-git = pkgs.writeShellScript "nix-git" ''
55 cd "$1"; shift
56 ${pkgs.git}/bin/git "$@"
57 '';
58 in
59 {
60 options.nix-plugins = {
61 enable = lib.mkEnableOption "nix-plugins";
62 extra-builtins = lib.mkOption {
63 type = types.lines;
64 default = ''
65 pass = path: exec [ "${nix-pass}" path ];
66 pass-chomp = path: exec [ "${nix-pass-chomp}" path ];
67 pass-to-file = path: name: exec [ "${nix-pass-to-file}" path name ];
68 git = dir: args: exec ([ "${nix-git}" dir ] ++ args);
69 git-time = dir: path: exec [ "${nix-git}" dir "log" "-1" "--format=%ct" "--" path ];
70 gpg = args: exec ([ "${pkgs.gnupg}/bin/gpg" ] ++ args);
71 '';
72 description = ''
73 Content put in extra-builtins.nix for nix-plugins.
74 '';
75 apply = lines: pkgs.writeText "extra-builtins.nix" (''
76 { exec, ... }:
77 {
78 '' + lines + ''
79 }
80 '');
81 };
82 };
83 config = lib.mkIf cfg.enable {
84 nix.enable = true;
85 nix.nixConf = ''
86 plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins/libnix-extra-builtins.so
87 extra-builtins-file = ${cfg.extra-builtins}
88 '';
89 };
90 }