From aecc7fa78dfef26cf93e25cd6d7bbd097fd4539b Mon Sep 17 00:00:00 2001
From: kat witch <kat@kittywit.ch>
Date: Sun, 8 Aug 2021 19:33:21 +0100
Subject: [PATCH] Secrets... abstractions

---
 config/modules/meta/deploy.nix    |  1 +
 config/modules/meta/secrets.nix   | 21 +++++++++++++++++++++
 config/modules/nixos/default.nix  |  1 +
 config/modules/nixos/secrets.nix  | 15 +++++++++++++++
 config/targets/common/default.nix |  2 ++
 5 files changed, 40 insertions(+)
 create mode 100644 config/modules/meta/secrets.nix
 create mode 100644 config/modules/nixos/secrets.nix

diff --git a/config/modules/meta/deploy.nix b/config/modules/meta/deploy.nix
index c49b59ae..bc53d5ec 100644
--- a/config/modules/meta/deploy.nix
+++ b/config/modules/meta/deploy.nix
@@ -22,6 +22,7 @@ let
     modules = [
       tfModule
       "${toString sources.tf-nix}/modules"
+      ./secrets.nix
     ];
   };
 in {
diff --git a/config/modules/meta/secrets.nix b/config/modules/meta/secrets.nix
new file mode 100644
index 00000000..edcfac2d
--- /dev/null
+++ b/config/modules/meta/secrets.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options = let tf = config; in {
+    variables = mkOption {
+      type = types.attrsOf (types.submodule ({ name, config, ... }: {
+        options.externalSecret = mkEnableOption "Is ths secret to be templated into a command provided?";
+        config = mkIf config.externalSecret {
+          type = "string";
+          value.shellCommand = "${tf.commandPrefix} ${escapeShellArg name}";
+        };
+      }));
+    };
+    commandPrefix = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+  };
+}
diff --git a/config/modules/nixos/default.nix b/config/modules/nixos/default.nix
index 603b387c..64799cab 100644
--- a/config/modules/nixos/default.nix
+++ b/config/modules/nixos/default.nix
@@ -8,6 +8,7 @@
     ./dns.nix
     ./dyndns.nix
     ./yggdrasil.nix
+    ./secrets.nix
     (sources.tf-nix + "/modules/nixos/secrets.nix")
     (sources.tf-nix + "/modules/nixos/secrets-users.nix")
     (sources.hexchen + "/modules/network/yggdrasil")
diff --git a/config/modules/nixos/secrets.nix b/config/modules/nixos/secrets.nix
new file mode 100644
index 00000000..ea13d16c
--- /dev/null
+++ b/config/modules/nixos/secrets.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.kw = {
+    secrets = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+    };
+  };
+  config = mkIf (config.kw.secrets != null) {
+    deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });
+  };
+}
diff --git a/config/targets/common/default.nix b/config/targets/common/default.nix
index 14dc48c0..d85ea39d 100644
--- a/config/targets/common/default.nix
+++ b/config/targets/common/default.nix
@@ -1,6 +1,8 @@
 { config, ... }:
 
 {
+  commandPrefix = "pass";
+
   variables.hcloud_token = {
     type = "string";
     value.shellCommand = "bitw get infra/hcloud_token";