Mic92
diff --git a/‎modules/sops/manifest-for.nix‎
Lines changed: 1 addition & 0 deletions b/‎modules/sops/manifest-for.nix‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/sops/templates/default.nix‎
Lines changed: 20 additions & 58 deletions b/‎modules/sops/templates/default.nix‎
Lines changed: 20 additions & 58 deletions
diff --git a/‎modules/sops/templates/subs.py‎
Lines changed: 0 additions & 26 deletions b/‎modules/sops/templates/subs.py‎
Lines changed: 0 additions & 26 deletions
@@ -16,6 +16,7 @@ writeTextFile {
     ageSshKeyPaths = cfg.age.sshKeyPaths;
     useTmpfs = cfg.useTmpfs;
     templates = cfg.templates;
+    placeholderBySecretName = cfg.placeholder;
     userMode = false;
     logging = {
       keyImport = builtins.elem "keyImport" cfg.log;
 
@@ -1,73 +1,54 @@
 { config, pkgs, lib, options, ... }:
-with lib;
-with lib.types;
-with builtins;
 let
-  cfg = config.sops;
-  secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
+  inherit (lib)
+    mkOption
+    mkDefault
+    mapAttrs
+    types
+  ;
+
   users = config.users.users;
-  useSystemdActivation = (options.systemd ? sysusers && config.systemd.sysusers.enable) ||
-    (options.services ? userborn && config.services.userborn.enable);
-  renderScript = ''
-    echo Setting up sops templates...
-    ${concatMapStringsSep "\n" (name:
-      let
-        tpl = config.sops.templates.${name};
-        substitute = pkgs.writers.writePython3 "substitute" { }
-          (readFile ./subs.py);
-        subst-pairs = pkgs.writeText "pairs" (concatMapStringsSep "\n"
-          (name:
-            "${toString config.sops.placeholder.${name}} ${
-              config.sops.secrets.${name}.path
-            }") (attrNames config.sops.secrets));
-      in ''
-        mkdir -p "${dirOf tpl.path}"
-        (umask 077; ${substitute} ${tpl.file} ${subst-pairs} > ${tpl.path})
-        chmod "${tpl.mode}" "${tpl.path}"
-        chown "${tpl.owner}:${tpl.group}" "${tpl.path}"
-      '') (attrNames config.sops.templates)}
-  '';
 in {
   options.sops = {
     templates = mkOption {
       description = "Templates for secret files";
-      type = attrsOf (submodule ({ config, ... }: {
+      type = types.attrsOf (types.submodule ({ config, ... }: {
         options = {
           name = mkOption {
-            type = singleLineStr;
+            type = types.singleLineStr;
             default = config._module.args.name;
             description = ''
               Name of the file used in /run/secrets/rendered
             '';
           };
           path = mkOption {
             description = "Path where the rendered file will be placed";
-            type = singleLineStr;
+            type = types.singleLineStr;
             default = "/run/secrets/rendered/${config.name}";
           };
           content = mkOption {
-            type = lines;
+            type = types.lines;
             default = "";
             description = ''
               Content of the file
             '';
           };
           mode = mkOption {
-            type = singleLineStr;
+            type = types.singleLineStr;
             default = "0400";
             description = ''
               Permissions mode of the rendered secret file in octal.
             '';
           };
           owner = mkOption {
-            type = singleLineStr;
+            type = types.singleLineStr;
             default = "root";
             description = ''
               User of the file.
             '';
           };
           group = mkOption {
-            type = singleLineStr;
+            type = types.singleLineStr;
             default = users.${config.owner}.group;
             defaultText = lib.literalExpression ''config.users.users.''${cfg.owner}.group'';
             description = ''
@@ -88,40 +69,21 @@ in {
       default = { };
     };
     placeholder = mkOption {
-      type = attrsOf (mkOptionType {
+      type = types.attrsOf (types.mkOptionType {
         name = "coercibleToString";
         description = "value that can be coerced to string";
-        check = strings.isConvertibleWithToString;
-        merge = mergeEqualOption;
+        check = lib.strings.isConvertibleWithToString;
+        merge = lib.mergeEqualOption;
       });
       default = { };
       visible = false;
     };
   };
 
-  config = optionalAttrs (options ? sops.secrets)
-    (mkIf (config.sops.templates != { }) {
+  config = lib.optionalAttrs (options ? sops.secrets)
+    (lib.mkIf (config.sops.templates != { }) {
       sops.placeholder = mapAttrs
-        (name: _: mkDefault "<SOPS:${hashString "sha256" name}:PLACEHOLDER>")
+        (name: _: mkDefault "<SOPS:${builtins.hashString "sha256" name}:PLACEHOLDER>")
         config.sops.secrets;
-
-      systemd.services.sops-render-secrets = let
-        installServices = [ "sops-install-secrets.service" ] ++ optional (secretsForUsers != { }) "sops-install-secrets-for-users.service";
-      in lib.mkIf (cfg.templates != { } && useSystemdActivation) {
-        wantedBy = [  "sysinit.target" ];
-        requires = installServices;
-        after = installServices;
-        unitConfig.DefaultDependencies = "no";
-
-        script = renderScript;
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-      };
-
-      system.activationScripts.renderSecrets = mkIf (cfg.templates != { } && !useSystemdActivation)
-        (stringAfter ([ "setupSecrets" ] ++ optional (secretsForUsers != { }) "setupSecretsForUsers")
-          renderScript);
     });
 }