Secrets... abstractions

config/modules/meta/deploy.nix

@@ -22,6 +22,7 @@ let
     modules = [
       tfModule
       "${toString sources.tf-nix}/modules"
+      ./secrets.nix
     ];
   };
 in {

config/modules/meta/secrets.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options = let tf = config; in {
+    variables = mkOption {
+      type = types.attrsOf (types.submodule ({ name, config, ... }: {
+        options.externalSecret = mkEnableOption "Is ths secret to be templated into a command provided?";
+        config = mkIf config.externalSecret {
+          type = "string";
+          value.shellCommand = "${tf.commandPrefix} ${escapeShellArg name}";
+        };
+      }));
+    };
+    commandPrefix = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+  };
+}

config/modules/nixos/default.nix

@@ -8,6 +8,7 @@
     ./dns.nix
     ./dyndns.nix
     ./yggdrasil.nix
+    ./secrets.nix
     (sources.tf-nix + "/modules/nixos/secrets.nix")
     (sources.tf-nix + "/modules/nixos/secrets-users.nix")
     (sources.hexchen + "/modules/network/yggdrasil")

config/modules/nixos/secrets.nix

@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.kw = {
+    secrets = mkOption {
+      type = types.nullOr (types.listOf types.str);
+      default = null;
+    };
+  };
+  config = mkIf (config.kw.secrets != null) {
+    deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });
+  };
+}