default = "/var/secrets";
description = "Location where to put the keys";
};
+ # Read-only variables
+ fullPaths = lib.mkOption {
+ type = lib.types.attrsOf lib.types.path;
+ default = builtins.listToAttrs
+ (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
+ readOnly = true;
+ description = "set of full paths to secrets";
+ };
};
+
config = let
location = config.secrets.location;
keys = config.secrets.keys;
fi
'';
};
- deployment.keys."secrets.tar" = {
+ system.extraDependencies = [ secrets ];
+ deployment.secrets."secrets.tar" = {
+ source = "${secrets}";
+ destination = "/run/keys/secrets.tar";
+ owner.user = "root";
+ owner.group = "root";
permissions = "0400";
- # keyFile below is not evaluated at build time by nixops, so the
- # `secrets` path doesn’t necessarily exist when uploading the
- # keys, and nixops is unhappy.
- user = "root${builtins.substring 10000 1 secrets}";
- group = "root";
- keyFile = "${secrets}";
};
};
}