summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/default.nix44
1 files changed, 25 insertions, 19 deletions
diff --git a/modules/default.nix b/modules/default.nix
index f187a8f..f50d0a2 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ pkgs, config, lib, options, ... }:
with lib;
@@ -19,25 +19,25 @@ let
path = mkOption {
type = types.path;
readOnly = true;
- description = "Decrypted secret path. Read-only, for use in interpolations.";
+ description = mdDoc "Decrypted secret path. Read-only, for use in interpolations.";
};
owner = mkOption {
default = "root";
type = types.str;
- description = "Owner of decrypted secret.";
+ description = mdDoc "Owner of decrypted secret.";
};
group = mkOption {
default = "root";
type = types.str;
- description = "Group of decrypted secret.";
+ description = mdDoc "Group of decrypted secret.";
};
mode = mkOption {
default = "0400";
type = types.str;
- description = "Mode of decrypted secret, as in chmod.";
+ description = mdDoc "Mode of decrypted secret, as in chmod.";
};
};
@@ -78,7 +78,7 @@ in
options.seacrit = {
storePath = mkOption {
type = types.nullOr types.path;
- description = ''
+ description = mdDoc ''
Store path to pull secrets from during build. Must contain a secrets.nix file
describing all secrets.
'';
@@ -87,47 +87,48 @@ in
hostID = mkOption {
type = types.str;
- description = "Identifier of this host in the registry.";
+ description = mdDoc "Identifier of this host in the registry.";
default = config.networking.hostName;
+ defaultText = literalExpression "config.networking.hostName";
};
registry = mkOption {
- type = types.submodule {
+ type = types.submodule (args: {
options = {
users = mkOption {
type = types.attrsOf types.str;
- description = "Users the secrets system knows about, and their public keys.";
+ description = mdDoc "Users the secrets system knows about, and their public keys.";
default = [];
};
hosts = mkOption {
type = types.attrsOf types.str;
- description = ''
+ description = mdDoc ''
Hosts the secrets system knows about, and their public keys. Keys are matched against
- <option>seacrit.hostID</option>.
+ {option}`${options.seacrit.hostID}`.
'';
default = [];
};
default = mkOption {
type = types.listOf types.str;
- description = "Keys with access to all secrets configured here.";
+ description = mdDoc "Keys with access to all secrets configured here.";
default = [];
};
secrets = mkOption {
type = types.attrsOf (types.listOf types.str);
- description = ''
+ description = mdDoc ''
Configured secrets, and the keys that can read them. Keys listed in
- <option>seacrit.registry.default</option> are added automatically.
+ {option}`${args.options.default}` are added automatically.
'';
default = {};
};
};
- };
+ });
readOnly = true;
- description = "Content of <literal>${storePath}/secrets.nix<literal>.";
- example = literalExample ''
+ description = mdDoc "Content of `\${${options.seacrit.storePath}}/secrets.nix`.";
+ example = literalExpression ''
rec {
users = {
deploy = "<one age public key>";
@@ -157,12 +158,17 @@ in
(concatMap
(k: optional (elem k.type [ "ed25519" "rsa" ]) k.path)
config.services.openssh.hostKeys);
- description = "Paths to keys used for secret decryption. All age key types are supported.";
+ defaultText = literalMD ''
+ compatible keys from ${options.services.openssh.hostKeys} (ie ed25519 and rsa)
+ '';
+ description = mdDoc ''
+ Paths to keys used for secret decryption. All age key types are supported.
+ '';
};
secrets = mkOption {
type = types.attrsOf secret;
- description = "Configuration for individual secrets configured through the registry.";
+ description = mdDoc "Configuration for individual secrets configured through the registry.";
default = {};
};
};