default = "/var/secrets";
description = "Location where to put the keys";
};
+ # Read-only variables
+ fullPaths = lib.mkOption {
+ type = lib.types.attrsOf lib.types.path;
+ default = builtins.listToAttrs
+ (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
+ readOnly = true;
+ description = "set of full paths to secrets";
+ };
};
+
config = let
location = config.secrets.location;
keys = config.secrets.keys;
empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+ fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
dumpKey = v: ''
mkdir -p secrets/$(dirname ${v.dest})
- echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+ echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
cat >> mods <<EOF
- ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+ ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
EOF
'';
secrets = pkgs.runCommand "secrets.tar" {} ''
if [ -f /run/keys/secrets.tar ]; then
if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
echo "rebuilding secrets"
- rm -rf ${location}
- install -m0750 -o root -g keys -d ${location}
- ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
- sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
- find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ TMP=$(${pkgs.coreutils}/bin/mktemp -d)
+ if [ -n "$TMP" ]; then
+ install -m0750 -o root -g keys -d $TMP
+ ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
+ if [ -f /run/keys/vars.yml ]; then
+ find $TMP -name "*.gucci.tpl" -exec \
+ /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f /run/keys/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \;
+ sha512sum /run/keys/secrets.tar /run/keys/vars.yml > $TMP/currentSecrets
+ else
+ sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+ fi
+ find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location}
+ rm -rf $TMP
+ fi
fi
fi
'';
};
- deployment.keys."secrets.tar" = {
+
+ system.extraDependencies = [ secrets ];
+ deployment.secrets."secret_vars.yml" = {
+ source = builtins.toString <privateFiles/vars.yml>;
+ destination = "/run/keys/vars.yml";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ };
+ deployment.secrets."secrets.tar" = {
+ source = "${secrets}";
+ destination = "/run/keys/secrets.tar";
+ owner.user = "root";
+ owner.group = "root";
permissions = "0400";
- # keyFile below is not evaluated at build time by nixops, so the
- # `secrets` path doesn’t necessarily exist when uploading the
- # keys, and nixops is unhappy.
- user = "root${builtins.substring 10000 1 secrets}";
- group = "root";
- keyFile = "${secrets}";
};
};
}
projects / perso / Immae / Config / Nix.git / blobdiff