aboutsummaryrefslogtreecommitdiff
path: root/modules/secrets.nix
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-06-01 00:01:46 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-06-01 00:01:46 +0200
commit17f6eae9907a122d4472da727ae8b1ac1c40c027 (patch)
tree133ab8877a47ec707cb8c96e561a29e45395fce6 /modules/secrets.nix
parentf33aade75160a345a721fd60451b9edaa4d10e44 (diff)
downloadNix-17f6eae9907a122d4472da727ae8b1ac1c40c027.tar.gz
Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.tar.zst
Nix-17f6eae9907a122d4472da727ae8b1ac1c40c027.zip
Add a filesWatcher service to restart them when secrets change
Diffstat (limited to 'modules/secrets.nix')
-rw-r--r--modules/secrets.nix14
1 files changed, 9 insertions, 5 deletions
diff --git a/modules/secrets.nix b/modules/secrets.nix
index b282e56..808b15c 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -39,11 +39,15 @@
39 if [ -f /run/keys/secrets.tar ]; then 39 if [ -f /run/keys/secrets.tar ]; then
40 if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then 40 if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
41 echo "rebuilding secrets" 41 echo "rebuilding secrets"
42 rm -rf ${location} 42 TMP=$(${pkgs.coreutils}/bin/mktemp -d)
43 install -m0750 -o root -g keys -d ${location} 43 if [ -n "$TMP" ]; then
44 ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar 44 install -m0750 -o root -g keys -d $TMP
45 sha512sum /run/keys/secrets.tar > ${location}/currentSecrets 45 ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
46 find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; 46 sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
47 find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
48 ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
49 rm -rf $TMP
50 fi
47 fi 51 fi
48 fi 52 fi
49 ''; 53 '';