diff options
-rw-r--r-- | modules/default.nix | 44 |
1 files changed, 25 insertions, 19 deletions
diff --git a/modules/default.nix b/modules/default.nix index f187a8f..f50d0a2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, lib, ... }: +{ pkgs, config, lib, options, ... }: with lib; @@ -19,25 +19,25 @@ let path = mkOption { type = types.path; readOnly = true; - description = "Decrypted secret path. Read-only, for use in interpolations."; + description = mdDoc "Decrypted secret path. Read-only, for use in interpolations."; }; owner = mkOption { default = "root"; type = types.str; - description = "Owner of decrypted secret."; + description = mdDoc "Owner of decrypted secret."; }; group = mkOption { default = "root"; type = types.str; - description = "Group of decrypted secret."; + description = mdDoc "Group of decrypted secret."; }; mode = mkOption { default = "0400"; type = types.str; - description = "Mode of decrypted secret, as in chmod."; + description = mdDoc "Mode of decrypted secret, as in chmod."; }; }; @@ -78,7 +78,7 @@ in options.seacrit = { storePath = mkOption { type = types.nullOr types.path; - description = '' + description = mdDoc '' Store path to pull secrets from during build. Must contain a secrets.nix file describing all secrets. ''; @@ -87,47 +87,48 @@ in hostID = mkOption { type = types.str; - description = "Identifier of this host in the registry."; + description = mdDoc "Identifier of this host in the registry."; default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; }; registry = mkOption { - type = types.submodule { + type = types.submodule (args: { options = { users = mkOption { type = types.attrsOf types.str; - description = "Users the secrets system knows about, and their public keys."; + description = mdDoc "Users the secrets system knows about, and their public keys."; default = []; }; hosts = mkOption { type = types.attrsOf types.str; - description = '' + description = mdDoc '' Hosts the secrets system knows about, and their public keys. Keys are matched against - <option>seacrit.hostID</option>. + {option}`${options.seacrit.hostID}`. ''; default = []; }; default = mkOption { type = types.listOf types.str; - description = "Keys with access to all secrets configured here."; + description = mdDoc "Keys with access to all secrets configured here."; default = []; }; secrets = mkOption { type = types.attrsOf (types.listOf types.str); - description = '' + description = mdDoc '' Configured secrets, and the keys that can read them. Keys listed in - <option>seacrit.registry.default</option> are added automatically. + {option}`${args.options.default}` are added automatically. ''; default = {}; }; }; - }; + }); readOnly = true; - description = "Content of <literal>${storePath}/secrets.nix<literal>."; - example = literalExample '' + description = mdDoc "Content of `\${${options.seacrit.storePath}}/secrets.nix`."; + example = literalExpression '' rec { users = { deploy = "<one age public key>"; @@ -157,12 +158,17 @@ in (concatMap (k: optional (elem k.type [ "ed25519" "rsa" ]) k.path) config.services.openssh.hostKeys); - description = "Paths to keys used for secret decryption. All age key types are supported."; + defaultText = literalMD '' + compatible keys from ${options.services.openssh.hostKeys} (ie ed25519 and rsa) + ''; + description = mdDoc '' + Paths to keys used for secret decryption. All age key types are supported. + ''; }; secrets = mkOption { type = types.attrsOf secret; - description = "Configuration for individual secrets configured through the registry."; + description = mdDoc "Configuration for individual secrets configured through the registry."; default = {}; }; }; |