home: add home-manager specific secrets module
This commit is contained in:
parent
5e7c2356fa
commit
44cbc123e6
|
|
@ -8,6 +8,7 @@
|
||||||
./jq.nix
|
./jq.nix
|
||||||
./packages.nix
|
./packages.nix
|
||||||
./pager.nix
|
./pager.nix
|
||||||
|
./secrets # Home-manager specific secrets
|
||||||
./tmux.nix
|
./tmux.nix
|
||||||
./zsh
|
./zsh
|
||||||
];
|
];
|
||||||
|
|
|
||||||
3
home/secrets/.gitattributes
vendored
Normal file
3
home/secrets/.gitattributes
vendored
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
* filter=git-crypt diff=git-crypt
|
||||||
|
.gitattributes !filter !diff
|
||||||
|
/default.nix !filter !diff
|
||||||
BIN
home/secrets/canary
Normal file
BIN
home/secrets/canary
Normal file
Binary file not shown.
19
home/secrets/default.nix
Normal file
19
home/secrets/default.nix
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
{ lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
canaryHash = builtins.hashFile "sha256" ./canary;
|
||||||
|
expectedHash =
|
||||||
|
"9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
|
||||||
|
in
|
||||||
|
if canaryHash != expectedHash then
|
||||||
|
abort "Secrets are not readable. Have you run `git-crypt unlock`?"
|
||||||
|
else {
|
||||||
|
options.my.secrets = mkOption {
|
||||||
|
type = types.attrs;
|
||||||
|
};
|
||||||
|
|
||||||
|
config.my.secrets = {
|
||||||
|
# Home-manager secrets go here
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue