X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fsecrets.nix;h=a149f02ca9baeb873b26d6732102b5944caf8c4d;hp=b282e56e207d17f12b2ef46bfc6da5321d909eb7;hb=a1a2455f53bde1235b221a842d3c888c51fcecac;hpb=1a7188052f235fb632700478fad0108e4306107d

diff --git a/modules/secrets.nix b/modules/secrets.nix
index b282e56..a149f02 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -11,7 +11,16 @@
       default = "/var/secrets";
       description = "Location where to put the keys";
     };
+    # Read-only variables
+    fullPaths = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = builtins.listToAttrs
+        (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
+      readOnly = true;
+      description = "set of full paths to secrets";
+    };
   };
+
   config = let
     location = config.secrets.location;
     keys = config.secrets.keys;
@@ -39,23 +48,26 @@
         if [ -f /run/keys/secrets.tar ]; then
           if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
             echo "rebuilding secrets"
-            rm -rf ${location}
-            install -m0750 -o root -g keys -d ${location}
-            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
-            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
-            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+            TMP=$(${pkgs.coreutils}/bin/mktemp -d)
+            if [ -n "$TMP" ]; then
+              install -m0750 -o root -g keys -d $TMP
+              ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
+              sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+              find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+              ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
+              rm -rf $TMP
+            fi
           fi
         fi
         '';
     };
-    deployment.keys."secrets.tar" = {
+    system.extraDependencies = [ secrets ];
+    deployment.secrets."secrets.tar" = {
+      source = "${secrets}";
+      destination = "/run/keys/secrets.tar";
+      owner.user = "root";
+      owner.group = "root";
       permissions = "0400";
-      # keyFile below is not evaluated at build time by nixops, so the
-      # `secrets` path doesn’t necessarily exist when uploading the
-      # keys, and nixops is unhappy.
-      user = "root${builtins.substring 10000 1 secrets}";
-      group = "root";
-      keyFile = "${secrets}";
     };
   };
 }