Use attrs for secrets instead of lists

4 files changed, 47 insertions, 15 deletions

diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock
index 744d002..be75993 100644
--- a/flakes/private/openarc/flake.lock
+++ b/flakes/private/openarc/flake.lock
@@ -146,7 +146,7 @@
     },
     "secrets": {
       "locked": {
-        "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=",
+        "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=",
         "path": "../../secrets",
         "type": "path"
       },
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock
index bd5019c..f40e1a9 100644
--- a/flakes/private/opendmarc/flake.lock
+++ b/flakes/private/opendmarc/flake.lock
@@ -129,7 +129,7 @@
     },
     "secrets": {
       "locked": {
-        "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=",
+        "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=",
         "path": "../../secrets",
         "type": "path"
       },
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix
index 2b73070..e2575e7 100644
--- a/flakes/private/opendmarc/flake.nix
+++ b/flakes/private/opendmarc/flake.nix
@@ -53,9 +53,8 @@
               config.secrets.fullPaths."opendmarc/ignore.hosts"
             ];
           };
-          secrets.keys = [
-            {
-              dest = "opendmarc/ignore.hosts";
+          secrets.keys = {
+            "opendmarc/ignore.hosts" = {
               user = config.services.opendmarc.user;
               group = config.services.opendmarc.group;
               permissions = "0400";
@@ -67,8 +66,8 @@
                   builtins.concatStringsSep "\n" ([
                     config.myEnv.mail.dmarc.ignore_hosts
                   ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
-            }
-          ];
+            };
+          };
         };
       };
     in
diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix
index 0ee6a40..ef74a30 100644
--- a/flakes/secrets/flake.nix
+++ b/flakes/secrets/flake.nix
@@ -5,9 +5,42 @@
     nixosModule = { config, lib, pkgs, ... }: {
       options.secrets = with lib; {
         keys = mkOption {
-          type = types.listOf types.unspecified;
-          default = [];
-          description = "Keys to upload to server";
+          type = types.attrsOf (types.submodule {
+            options = {
+              isTemplated = mkOption {
+                type = types.bool;
+                default = true;
+                description = "If the file is a gucci template that needs to be resolved";
+              };
+              isDir = mkOption {
+                type = types.bool;
+                default = false;
+                description = "If the entry is a directory";
+              };
+              group = mkOption {
+                type = types.str;
+                default = "root";
+                description = "Group to associate to the entry";
+              };
+              user = mkOption {
+                type = types.str;
+                default = "root";
+                description = "User to associate to the entry";
+              };
+              permissions = mkOption {
+                type = types.str;
+                default = "0600";
+                description = "Permissions to associate to the entry";
+              };
+              text = mkOption {
+                type = types.str;
+                description = "Content of the entry";
+              };
+            };
+          });
+          default = {};
+          description = "Keys attrs to upload to the server";
+          apply = lib.mapAttrsToList (dest: v: v // { inherit dest; });
         };
         gpgKeys = mkOption {
           type = types.listOf types.path;
@@ -52,20 +85,20 @@
         location = config.secrets.location;
         keys = config.secrets.keys;
         empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
-        fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
+        fpath = v: "secrets/${v.dest}${lib.optionalString v.isTemplated ".gucci.tpl"}";
         dumpKey = v:
-          if v.isDir or false then
+          if v.isDir then
             ''
               mkdir -p secrets/${v.dest}
               cat >> mods <<EOF
-              ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+              ${v.user} ${v.group} ${v.permissions} secrets/${v.dest}
               EOF
             ''
           else ''
             mkdir -p secrets/$(dirname ${v.dest})
             echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
             cat >> mods <<EOF
-            ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
+            ${v.user} ${v.group} ${v.permissions} ${fpath v}
             EOF
             '';
         secrets = pkgs.runCommand "secrets.tar.enc" {
@@ -88,7 +121,7 @@
           '';
         pathChmodExcl =
           let
-            dirs = builtins.filter (v: v.isDir or false) keys;
+            dirs = builtins.filter (v: v.isDir) keys;
             exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs);
           in
             lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) ";