Add home manager support (#10)

* Add home-manager module
* Update readme

Author: pinpox

README.md

@@ -259,6 +259,31 @@ ssh.
 See [module](https://github.com/pinpox/lollypops/blob/main/module.nix) for a
 full list of options with defaults and example values.
 
+#### Home-manager secrets
+
+If you are using home-manager, you may want to use secrets in your home
+configuration as well. For this, lollypops provides a separate home-manager
+module that can be imported to enable support for user-specific secrets.
+
+In your home-manager configuration import the `hmModule` provided by the flake:
+
+```nix
+imports = [
+	lollypops.hmModule
+];
+```
+
+This allows specifying secrets in the same way as the system-wide secrets. For
+user-specific secrets lollypops defaults to `$HOME/lollypops-secrets` for it's
+location and sets the ownership to the user instead of root.
+
+```
+  lollypops.secrets = {
+    cmd-name-prefix = "nixos-secrets/users/pinpox/";
+    files."usertest" = { };
+  };
+```
+
 ### Debugging
 
 lollypops hides the executed commands in the default output. To enable full

flake.nix

@@ -11,6 +11,9 @@
     {
       nixosModules.lollypops = import ./module.nix;
       nixosModules.default = self.nixosModules.lollypops;
+
+      hmModule = import ./hm-module.nix;
+
     } //
 
     # TODO test/add other plattforms
@@ -20,10 +23,38 @@
         let
           pkgs = nixpkgs.legacyPackages.${system};
         in
-        rec {
+        {
           # Allow custom packages to be run using `nix run`
           apps =
             let
+
+              # Build steps for all secrets of all users
+              mkSeclistUser = homeUsers: pkgs.lib.lists.flatten (builtins.attrValues (builtins.mapAttrs
+                (user: userconfig: [
+                  # Deploy secrets for user 'user'
+                  (builtins.attrValues (builtins.mapAttrs
+                    (secretName: secretConfig: [
+                      # Deloy secret 'secretName' of user 'user'
+                      "echo 'Deploying ${secretName} (from user ${user}) to ${pkgs.lib.escapeShellArg secretConfig.path}'"
+
+                      # Create parent directory if it does not exist
+                      ''
+                        set -o pipefail -e; ssh {{.REMOTE_USER}}@{{.REMOTE_HOST}} 'umask 077; sudo -u ${user} mkdir -p "$(dirname ${pkgs.lib.escapeShellArg secretConfig.path})"'
+                      ''
+                      # Copy file
+                      ''
+                        set -o pipefail -e; ${secretConfig.cmd} | ssh {{.REMOTE_USER}}@{{.REMOTE_HOST}} "umask 077; cat > ${pkgs.lib.escapeShellArg secretConfig.path}"
+                      ''
+                      # # Set group and owner
+                      ''
+                        set -o pipefail -e; ssh {{.REMOTE_USER}}@{{.REMOTE_HOST}} "chown ${secretConfig.owner}:${secretConfig.group-name} ${pkgs.lib.escapeShellArg secretConfig.path}"
+                      ''
+                    ])
+                    userconfig.lollypops.secrets.files))
+
+                ])
+                homeUsers));
+
               mkSeclist = config: pkgs.lib.lists.flatten (map
                 (x: [
                   "echo 'Deploying ${x.name} to ${pkgs.lib.escapeShellArg x.path}'"
@@ -76,8 +107,9 @@
 
                           cmds = [
                             ''echo "Deploying secrets to: {{.HOSTNAME}}"''
-                          ] ++ mkSeclist hostConfig.config;
-
+                          ]
+                          ++ mkSeclist hostConfig.config
+                          ++ mkSeclistUser hostConfig.config.home-manager.users;
                         };
 
                         rebuild = {

hm-module.nix

@@ -0,0 +1,91 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.lollypops;
+
+  secret-file = types.submodule ({ config, ... }: {
+    options = {
+
+      name = mkOption {
+        type = types.str;
+        default = config._module.args.name;
+        description = "Name of the secret";
+        defaultText = "<name>";
+      };
+
+      cmd = mkOption {
+        type = types.str;
+        default = "${cfg.secrets.default-cmd} ${cfg.secrets.cmd-name-prefix}${config.name}";
+        description = "Command to print the secret. E.g. `cat mysecretfile`";
+        defaultText = "<default-cmd> <cmd-name-prefix><name>";
+      };
+
+      path = mkOption {
+        type = types.str;
+        default = "${cfg.secrets.default-dir}/${config.name}";
+        description = "Path to place the secret file";
+        defaultText = "<default-dir>/<name>";
+      };
+
+      mode = mkOption {
+        type = types.str;
+        default = "0400";
+        description = "Unix permission";
+      };
+
+      owner = mkOption {
+        type = types.str;
+        default = "${cfg.secrets.default-user}";
+        description = "Owner of the secret file";
+      };
+
+      group-name = mkOption {
+        type = types.str;
+        default = "users";
+        description = "Group of the secret file";
+      };
+    };
+  });
+in
+{
+
+  options.lollypops = {
+
+    secrets = {
+
+      default-cmd = mkOption {
+        type = types.str;
+        default = "${pkgs.pass}/bin/pass";
+        description = "Default command to retrieve passwords. Will be passed the name as parameter";
+        defaultText = "\${pkgs.pass}/bin/pass";
+      };
+
+      cmd-name-prefix = mkOption {
+        type = types.str;
+        default = "";
+        description = "Prefix to prepend to all name when passing to the cmd";
+      };
+
+      default-dir = mkOption {
+        type = types.str;
+        default = "${config.home.homeDirectory}/lollypops-secrets";
+        description = "Path to place the secrets on the remote host if no alternative is specified";
+      };
+
+      default-user = mkOption {
+        type = types.str;
+        default = config.home.username;
+        visible = false;
+        readOnly = true;
+      };
+
+      files = mkOption {
+        type = with types; attrsOf secret-file;
+        default = { };
+        description = "Attribute set specifying secrets to be deployed";
+      };
+    };
+  };
+
+  # config = { };
+}