-{ lib, pkgs, config, myconfig, mylibs, ... }:
+{ lib, pkgs, config, ... }:
{
- options.mySecrets = {
+ options.secrets = {
keys = lib.mkOption {
type = lib.types.listOf lib.types.unspecified;
- default = {};
+ default = [];
description = "Keys to upload to server";
};
+ location = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/secrets";
+ description = "Location where to put the keys";
+ };
};
config = let
- keys = config.mySecrets.keys;
+ location = config.secrets.location;
+ keys = config.secrets.keys;
empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
dumpKey = v: ''
mkdir -p secrets/$(dirname ${v.dest})
tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
done
'';
- in {
+ in lib.mkIf (builtins.length keys > 0) {
system.activationScripts.secrets = {
deps = [ "users" "wrappers" ];
text = ''
- install -m0750 -o root -g keys -d /var/secrets
+ install -m0750 -o root -g keys -d ${location}
if [ -f /run/keys/secrets.tar ]; then
- if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
+ if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
echo "rebuilding secrets"
- rm -rf /var/secrets
- install -m0750 -o root -g keys -d /var/secrets
- ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
- sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
- find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ rm -rf ${location}
+ install -m0750 -o root -g keys -d ${location}
+ ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+ sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+ find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
fi
fi
'';