diff options
Diffstat (limited to 'modules/secrets.nix')
| -rw-r--r-- | modules/secrets.nix | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/modules/secrets.nix b/modules/secrets.nix index a2424e9..a149f02 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix | |||
| @@ -61,14 +61,13 @@ | |||
| 61 | fi | 61 | fi |
| 62 | ''; | 62 | ''; |
| 63 | }; | 63 | }; |
| 64 | deployment.keys."secrets.tar" = { | 64 | system.extraDependencies = [ secrets ]; |
| 65 | deployment.secrets."secrets.tar" = { | ||
| 66 | source = "${secrets}"; | ||
| 67 | destination = "/run/keys/secrets.tar"; | ||
| 68 | owner.user = "root"; | ||
| 69 | owner.group = "root"; | ||
| 65 | permissions = "0400"; | 70 | permissions = "0400"; |
| 66 | # keyFile below is not evaluated at build time by nixops, so the | ||
| 67 | # `secrets` path doesn’t necessarily exist when uploading the | ||
| 68 | # keys, and nixops is unhappy. | ||
| 69 | user = "root${builtins.substring 10000 1 secrets}"; | ||
| 70 | group = "root"; | ||
| 71 | keyFile = "${secrets}"; | ||
| 72 | }; | 71 | }; |
| 73 | }; | 72 | }; |
| 74 | } | 73 | } |