From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Wed, 24 Apr 2019 23:35:25 +0000 (+0200)
Subject: Start building a secrets.tar to reduce upload time for nixops
X-Git-Tag: nur_publish~116
X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=44742a43dac86a79274486a9b73a349c5d4ec631;hp=78e25e2ac542eceb33aa0d292397d5236dbb9df8;p=perso%2FImmae%2FConfig%2FNix.git

Start building a secrets.tar to reduce upload time for nixops
---

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 5e0227d..a85b9de 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -43,6 +43,7 @@
       ./modules/irc
       ./modules/buildbot
       ./modules/dns
+      ./modules/secrets
     ];
     services.myGitolite.enable = true;
     services.myDatabases.enable = true;
diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix
new file mode 100644
index 0000000..7096e48
--- /dev/null
+++ b/nixops/modules/secrets/default.nix
@@ -0,0 +1,68 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+{
+  options.mySecrets = {
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.unspecified;
+      default = {};
+      description = "Keys to upload to server";
+    };
+  };
+  config = let
+    oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys;
+    keys = config.mySecrets.keys;
+    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    dumpOldKey = k: v: let
+      dest = if v.destDir == "/run/keys"
+        then k
+        else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k;
+      in ''
+        mkdir -p secrets/$(dirname ${dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest}
+        EOF
+        '';
+    dumpKey = v: ''
+        mkdir -p secrets/$(dirname ${v.dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        EOF
+        '';
+    secrets = pkgs.runCommand "secrets.tar" {} ''
+      touch mods
+      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
+      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)}
+      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
+      cat mods | while read u g p k; do
+      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
+      done
+      '';
+  in {
+    system.activationScripts.secrets = {
+      deps = [ "users" "wrappers" ];
+      text = ''
+        install -m0750 -o root -g keys -d /var/secrets
+        if [ -f /run/keys/secrets.tar ]; then
+          if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
+            echo "rebuilding secrets"
+            rm -rf /var/secrets
+            install -m0750 -o root -g keys -d /var/secrets
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
+            find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+          fi
+        fi
+        '';
+    };
+    deployment.keys."secrets.tar" = {
+      permissions = "0400";
+      # keyFile below is not evaluated at build time by nixops, so the
+      # `secrets` path doesn’t necessarily exist when uploading the
+      # keys, and nixops is unhappy.
+      user = "root${builtins.substring 10000 1 secrets}";
+      group = "root";
+      keyFile = "${secrets}";
+    };
+  };
+}