{"id":27958440,"url":"https://github.com/determinatesystems/nix-policy","last_synced_at":"2025-05-07T18:24:02.779Z","repository":{"id":157230523,"uuid":"621314732","full_name":"DeterminateSystems/nix-policy","owner":"DeterminateSystems","description":"Experiments with Nix and Open Policy Agent","archived":false,"fork":false,"pushed_at":"2024-11-06T18:15:21.000Z","size":204,"stargazers_count":27,"open_issues_count":1,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-06T19:26:24.219Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DeterminateSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-30T12:19:49.000Z","updated_at":"2024-07-26T09:33:19.000Z","dependencies_parsed_at":"2024-11-06T19:23:08.660Z","dependency_job_id":"688965d4-a96d-4a2b-bdab-760e091d33c4","html_url":"https://github.com/DeterminateSystems/nix-policy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fnix-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fnix-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fnix-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fnix-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DeterminateSystems","download_url":"https://codeload.github.com/DeterminateSystems/nix-policy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252932399,"owners_count":21827291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-07T18:24:02.112Z","updated_at":"2025-05-07T18:24:02.769Z","avatar_url":"https://github.com/DeterminateSystems.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Policy-driven Nix\n\n\u003e [!INFO]\n\u003e This repo was created as a complement to the [Packaging Open Policy Agent policies with Nix][blog-post] blog post on the [Determinate Systems blog][blog] and fulfilled its purpose.\n\u003e It won't be updated further but you're free to use it [as you see fit](./LICENSE)!\n\nAn experiment using [Nix] with [Open Policy Agent][opa] (OPA).\n\n## How it works\n\nThis project uses [Nix] to create CLI tools that wrap [Rego] policies for [Open Policy Agent][opa]:\n\n- The OPA CLI tool generates a [WebAssembly] (Wasm) binary for the specified Rego policy file and [entrypoint][bundle]\n- A [Rust CLI](./eval) wraps the generated Wasm and provides the final user interface.\n  That CLI is itself a thin wrapper around the [`rust-opa-wasm`][lib] library from the good folks at [Matrix].\n\nYou can run the default example for the [`rbac.rego`](./examples/rbac.rego):\n\n```shell\n# Generate a Wasm binary from an OPA policy\nnix build --print-build-logs\n\n./result/bin/rbac-eval \\\n  --input '{\"password\":\"opensesame\"}' \\\n  --data '{\"expected\":\"opensesame\"}'\n# [{\"result\":true}]\n\n./result/bin/rbac-eval \\\n  --input '{\"password\":\"somethingelse\"}' \\\n  --data '{\"expected\":\"opensesame\"}'\n# [{\"result\":false}]\n```\n\nThat CLI wraps this policy:\n\n```rego\npackage rbac\n\ndefault allow := false\n\nallow = true {\n    expected := data.expected\n    password := input.password\n    password == expected\n}\n```\n\nThe magic here is that the generated CLI automatically reads from the Rego-policy-turned-into-Wasm stored in the Nix store, which means that you don't need to specify an entrypoint or a path to the Wasm file on the CLI; that's handled at the Nix level.\n\n## Create your own evaluator\n\nYou can create your own using the [`mkPolicyEvaluator`](./nix/evaluator.nix) function provided by this flake.\nHere's an example:\n\n```nix\nmkPolicyEvaluator {\n  name = \"evaluate-tf-state\"; # The name of the CLI\n  src = ./.; # The local workspace\n  policy = ./policies/terraform.rego; # The Rego policy that the CLI wraps\n  entrypoint = \"terraform/allow\"; # The entrypoint for evaluation\n}\n```\n\nHere's that function used in the context of a full flake:\n\n```nix\n{\n  inputs = {\n    nixpkgs.url = \"github:NixOS/nixpkgs\";\n    nix-policy.url = \"github:DeterminateSystems/nix-policy\";\n  };\n\n  outputs = { self, nix-policy }:\n    let\n      systems = [\n        \"aarch64-linux\"\n        \"x86_64-linux\"\n        \"aarch64-darwin\"\n        \"x86_64-darwin\"\n      ];\n      forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f {\n        pkgs = import nixpkgs { inherit system; overlays = [ nix-policy-overlays.opa-wasm ]; };\n      });\n    in\n    {\n      packages = forAllSystems ({ pkgs }: {\n        default = pkgs.mkPolicyEvaluator {\n          name = \"evaluate-tf-state\";\n          src = ./.;\n          policy = ./policies/terraform.rego;\n          entrypoint = \"terraform/allow\";\n        };\n      });\n    };\n}\n```\n\nThen you can build and run:\n\n```shell\nnix build\n\n./result/bin/evaluate-tf-state \\\n  --input-path terraform.tfstate \\\n  --data-path policy-data.json\n```\n\n[blog]: https://determinate.systems/posts\n[blog-post]: https://determinate.systems/posts/open-policy-agent\n[bundle]: https://www.openpolicyagent.org/docs/latest/management-bundles/#bundle-file-format\n[lib]: https://github.com/matrix-org/rust-opa-wasm\n[matrix]: https://github.com/matrix-org\n[nix]: https://zero-to-nix.com\n[opa]: https://open-policy-agent.org\n[rego]: https://www.openpolicyagent.org/docs/latest/policy-language\n[webassembly]: https://webassembly.org\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeterminatesystems%2Fnix-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeterminatesystems%2Fnix-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeterminatesystems%2Fnix-policy/lists"}