};
};
config = let
- oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys;
keys = config.mySecrets.keys;
empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
- dumpOldKey = k: v: let
- dest = if v.destDir == "/run/keys"
- then k
- else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k;
- in ''
- mkdir -p secrets/$(dirname ${dest})
- echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest}
- cat >> mods <<EOF
- ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest}
- EOF
- '';
dumpKey = v: ''
mkdir -p secrets/$(dirname ${v.dest})
echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
secrets = pkgs.runCommand "secrets.tar" {} ''
touch mods
tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
- ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)}
${builtins.concatStringsSep "\n" (map dumpKey keys)}
cat mods | while read u g p k; do
tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"