1{ lib, config, pkgs, ... }: with lib;2let3 sysConfig = config;4 secretType = types.submodule ({ config, ... }: {5 config = {6 path = mkOptionDefault "/run/secrets/${config._module.args.name}";7 };8 options = {9 public = mkOption {10 type = types.nullOr types.str;11 description = "Secret public data";12 default = null;13 };14 secret = mkOption {15 type = types.str;16 description = "Encrypted secret data";17 };18 mode = mkOption {19 type = types.str;20 description = "Secret mode";21 default = "0440";22 };23 owner = mkOption {24 type = types.str;25 description = "Owner of the secret";26 default = "root";27 };28 group = mkOption {29 type = types.str;30 description = "Group of the secret";31 default = sysConfig.users.users.${config.owner}.group;32 };3334 path = mkOption {35 type = types.str;36 readOnly = true;37 description = "Path to the decrypted secret";38 };39 };40 });41 secretsFile = pkgs.writeTextFile {42 name = "secrets.json";43 text = builtins.toJSON config.secrets;44 };45in46{47 options = {48 secrets = mkOption {49 type = types.attrsOf secretType;50 default = { };51 description = "Host-local secrets";52 };53 };54 config = {55 system.activationScripts.decryptSecrets = ''56 1>&2 echo "setting up secrets"57 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}58 '';59 };60}