X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fsecrets.nix;fp=nixops%2Fmodules%2Fsecrets.nix;h=b282e56e207d17f12b2ef46bfc6da5321d909eb7;hp=85000882f776f588c5048aa0d84f999b04248584;hb=1a7188052f235fb632700478fad0108e4306107d;hpb=d42bbbe6f510fce233ecb66d44d205761390b56e

diff --git a/nixops/modules/secrets.nix b/modules/secrets.nix
similarity index 64%
rename from nixops/modules/secrets.nix
rename to modules/secrets.nix
index 8500088..b282e56 100644
--- a/nixops/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -1,14 +1,20 @@
-{ lib, pkgs, config, myconfig, mylibs, ... }:
+{ lib, pkgs, config, ... }:
 {
-  options.mySecrets = {
+  options.secrets = {
     keys = lib.mkOption {
       type = lib.types.listOf lib.types.unspecified;
-      default = {};
+      default = [];
       description = "Keys to upload to server";
     };
+    location = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/secrets";
+      description = "Location where to put the keys";
+    };
   };
   config = let
-    keys = config.mySecrets.keys;
+    location = config.secrets.location;
+    keys = config.secrets.keys;
     empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
     dumpKey = v: ''
         mkdir -p secrets/$(dirname ${v.dest})
@@ -25,19 +31,19 @@
       tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
       done
       '';
-  in {
+  in lib.mkIf (builtins.length keys > 0) {
     system.activationScripts.secrets = {
       deps = [ "users" "wrappers" ];
       text = ''
-        install -m0750 -o root -g keys -d /var/secrets
+        install -m0750 -o root -g keys -d ${location}
         if [ -f /run/keys/secrets.tar ]; then
-          if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
+          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
             echo "rebuilding secrets"
-            rm -rf /var/secrets
-            install -m0750 -o root -g keys -d /var/secrets
-            ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
-            sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
-            find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+            rm -rf ${location}
+            install -m0750 -o root -g keys -d ${location}
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
           fi
         fi
         '';