secrets: expose generateSecretsScript

erikarvstedt · erikarvstedt · commit d538ea3893c0 · 2023-07-15T18:30:29.000+02:00
This is particularly helpful for Flake users.

Contents in `secretsScriptLib` are reused by the next commit.
diff --git a/helper/makeShell.nix b/helper/makeShell.nix
@@ -85,7 +85,7 @@ pkgs.stdenv.mkDerivation {
         config="${cfgDir}/configuration.nix"
       fi
       genSecrets=$(nix-build --no-out-link -I nixos-config="$config" \
-                   '<nixpkgs/nixos>' -A config.nix-bitcoin.generateSecretsScript)
+                   '<nixpkgs/nixos>' -A config.nix-bitcoin.generateSecretsScriptImpl)
       mkdir -p "${cfgDir}/secrets"
       (cd "${cfgDir}/secrets"; $genSecrets)
     )}
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
@@ -71,6 +71,67 @@ let
     };
 
     generateSecretsScript = mkOption {
+      readOnly = true;
+
+      description = mdDoc cfg.secretsScriptLib.scriptHelp;
+
+      default = pkgs.writers.writeBashBin "generate-secrets" ''
+        ${cfg.secretsScriptLib.gotoDestDir}
+        ${cfg.generateSecretsScriptImpl}
+      '';
+      defaultText = "(See source)";
+    };
+
+    # Snippets for assembling generate secrets scripts
+    secretsScriptLib = mkOption {
+      internal = true;
+      readOnly = true;
+      default = {
+        scriptHelp = ''
+          Script to generate secrets.
+
+          Usage:
+            generate-secrets
+
+              Writes secrets to ./secrets, if dir ./.git exists.
+              Writes secrets to the working directory, otherwise.
+
+            generate-secrets <destdir>
+
+              Writes secrets to <destdir>
+        '';
+        gotoDestDir = ''
+          set -euo pipefail
+
+          case ''${1:-} in
+            -h|--help)
+              echo '${cfg.secretsScriptLib.scriptHelp}'
+              exit 0
+              ;;
+          esac
+
+          destDir=''${1:-}
+
+          if [[ ! $destDir ]]; then
+            if [[ -d .git ]]; then
+              destDir=./secrets
+            else
+              destDir=.
+            fi
+          fi
+
+          echo "Writing secrets to $destDir" >&2
+
+          if [[ $destDir != . ]]; then
+            ${pkgs.coreutils}/bin/mkdir -p "$destDir"
+            cd "$destDir"
+          fi
+        '';
+      };
+    };
+
+    # Writes secrets to PWD
+    generateSecretsScriptImpl = mkOption {
       internal = true;
       default = let
         rpcauthSrc = pkgs.fetchurl {
@@ -182,7 +243,7 @@ in {
           cd "${cfg.secretsDir}"
           chown root: .
           chmod 0700 .
-          ${cfg.generateSecretsScript}
+          ${cfg.generateSecretsScriptImpl}
         ''}
 
         setupSecret() {
