Start building a secrets.tar to reduce upload time for nixops

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 5e0227d27e5af6353f401ecdb7c803700fe58d6d..a85b9dea599e4e1558e8fcc0db41e290ee03568d 100644 (file)
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -43,6 +43,7 @@
       ./modules/irc
       ./modules/buildbot
       ./modules/dns
+      ./modules/secrets
     ];
     services.myGitolite.enable = true;
     services.myDatabases.enable = true;

diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix
new file mode 100644 (file)
index 0000000..7096e48
--- /dev/null
+++ b/nixops/modules/secrets/default.nix
@@ -0,0 +1,68 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+{
+  options.mySecrets = {
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.unspecified;
+      default = {};
+      description = "Keys to upload to server";
+    };
+  };
+  config = let
+    oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys;
+    keys = config.mySecrets.keys;
+    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    dumpOldKey = k: v: let
+      dest = if v.destDir == "/run/keys"
+        then k
+        else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k;
+      in ''
+        mkdir -p secrets/$(dirname ${dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest}
+        EOF
+        '';
+    dumpKey = v: ''
+        mkdir -p secrets/$(dirname ${v.dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        EOF
+        '';
+    secrets = pkgs.runCommand "secrets.tar" {} ''
+      touch mods
+      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
+      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)}
+      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
+      cat mods | while read u g p k; do
+      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
+      done
+      '';
+  in {
+    system.activationScripts.secrets = {
+      deps = [ "users" "wrappers" ];
+      text = ''
+        install -m0750 -o root -g keys -d /var/secrets
+        if [ -f /run/keys/secrets.tar ]; then
+          if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
+            echo "rebuilding secrets"
+            rm -rf /var/secrets
+            install -m0750 -o root -g keys -d /var/secrets
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
+            find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+          fi
+        fi
+        '';
+    };
+    deployment.keys."secrets.tar" = {
+      permissions = "0400";
+      # keyFile below is not evaluated at build time by nixops, so the
+      # `secrets` path doesn’t necessarily exist when uploading the
+      # keys, and nixops is unhappy.
+      user = "root${builtins.substring 10000 1 secrets}";
+      group = "root";
+      keyFile = "${secrets}";
+    };
+  };
+}