+++ /dev/null
-{ lib, pkgs, config, myconfig, mylibs, ... }:
-{
- options.mySecrets = {
- keys = lib.mkOption {
- type = lib.types.listOf lib.types.unspecified;
- default = {};
- description = "Keys to upload to server";
- };
- };
- config = let
- keys = config.mySecrets.keys;
- empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
- dumpKey = v: ''
- mkdir -p secrets/$(dirname ${v.dest})
- echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
- cat >> mods <<EOF
- ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
- EOF
- '';
- secrets = pkgs.runCommand "secrets.tar" {} ''
- touch mods
- tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
- ${builtins.concatStringsSep "\n" (map dumpKey keys)}
- cat mods | while read u g p k; do
- tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
- done
- '';
- in {
- system.activationScripts.secrets = {
- deps = [ "users" "wrappers" ];
- text = ''
- install -m0750 -o root -g keys -d /var/secrets
- if [ -f /run/keys/secrets.tar ]; then
- if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
- echo "rebuilding secrets"
- rm -rf /var/secrets
- install -m0750 -o root -g keys -d /var/secrets
- ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
- sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
- find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
- fi
- fi
- '';
- };
- deployment.keys."secrets.tar" = {
- permissions = "0400";
- # keyFile below is not evaluated at build time by nixops, so the
- # `secrets` path doesn’t necessarily exist when uploading the
- # keys, and nixops is unhappy.
- user = "root${builtins.substring 10000 1 secrets}";
- group = "root";
- keyFile = "${secrets}";
- };
- };
-}