diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 09:26:26 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 09:26:26 +0200 |
| commit | 8db8e666707a0e51af9353c76c5863e1a5482ed5 (patch) | |
| tree | 64bfdc2cb62f84250955424ad202fc875d4ddbc4 /nixops/modules/secrets | |
| parent | 32c84ff89c2b8931f58cea63961a178a9b1d0efe (diff) | |
| download | Nix-8db8e666707a0e51af9353c76c5863e1a5482ed5.tar.gz Nix-8db8e666707a0e51af9353c76c5863e1a5482ed5.tar.zst Nix-8db8e666707a0e51af9353c76c5863e1a5482ed5.zip | |
Move tools to new secrets location
Diffstat (limited to 'nixops/modules/secrets')
| -rw-r--r-- | nixops/modules/secrets/default.nix | 13 |
1 files changed, 0 insertions, 13 deletions
diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix index 7096e48..8500088 100644 --- a/nixops/modules/secrets/default.nix +++ b/nixops/modules/secrets/default.nix | |||
| @@ -8,20 +8,8 @@ | |||
| 8 | }; | 8 | }; |
| 9 | }; | 9 | }; |
| 10 | config = let | 10 | config = let |
| 11 | oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys; | ||
| 12 | keys = config.mySecrets.keys; | 11 | keys = config.mySecrets.keys; |
| 13 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; | 12 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; |
| 14 | dumpOldKey = k: v: let | ||
| 15 | dest = if v.destDir == "/run/keys" | ||
| 16 | then k | ||
| 17 | else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k; | ||
| 18 | in '' | ||
| 19 | mkdir -p secrets/$(dirname ${dest}) | ||
| 20 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest} | ||
| 21 | cat >> mods <<EOF | ||
| 22 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest} | ||
| 23 | EOF | ||
| 24 | ''; | ||
| 25 | dumpKey = v: '' | 13 | dumpKey = v: '' |
| 26 | mkdir -p secrets/$(dirname ${v.dest}) | 14 | mkdir -p secrets/$(dirname ${v.dest}) |
| 27 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest} | 15 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest} |
| @@ -32,7 +20,6 @@ | |||
| 32 | secrets = pkgs.runCommand "secrets.tar" {} '' | 20 | secrets = pkgs.runCommand "secrets.tar" {} '' |
| 33 | touch mods | 21 | touch mods |
| 34 | tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done | 22 | tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done |
| 35 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)} | ||
| 36 | ${builtins.concatStringsSep "\n" (map dumpKey keys)} | 23 | ${builtins.concatStringsSep "\n" (map dumpKey keys)} |
| 37 | cat mods | while read u g p k; do | 24 | cat mods | while read u g p k; do |
| 38 | tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" | 25 | tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" |