X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fsecrets.nix;h=a149f02ca9baeb873b26d6732102b5944caf8c4d;hp=808b15c5bdeb886347a8f9c34f69891495e0999f;hb=7ad4966f41db0669a77c7a6ee7f87f0d4e586b0c;hpb=17f6eae9907a122d4472da727ae8b1ac1c40c027

diff --git a/modules/secrets.nix b/modules/secrets.nix
index 808b15c..a149f02 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -11,7 +11,16 @@
       default = "/var/secrets";
       description = "Location where to put the keys";
     };
+    # Read-only variables
+    fullPaths = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = builtins.listToAttrs
+        (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
+      readOnly = true;
+      description = "set of full paths to secrets";
+    };
   };
+
   config = let
     location = config.secrets.location;
     keys = config.secrets.keys;
@@ -52,14 +61,13 @@
         fi
         '';
     };
-    deployment.keys."secrets.tar" = {
+    system.extraDependencies = [ secrets ];
+    deployment.secrets."secrets.tar" = {
+      source = "${secrets}";
+      destination = "/run/keys/secrets.tar";
+      owner.user = "root";
+      owner.group = "root";
       permissions = "0400";
-      # keyFile below is not evaluated at build time by nixops, so the
-      # `secrets` path doesn’t necessarily exist when uploading the
-      # keys, and nixops is unhappy.
-      user = "root${builtins.substring 10000 1 secrets}";
-      group = "root";
-      keyFile = "${secrets}";
     };
   };
 }