diff options
Diffstat (limited to 'modules/secrets.nix')
-rw-r--r-- | modules/secrets.nix | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/modules/secrets.nix b/modules/secrets.nix index a2424e9..a149f02 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix | |||
@@ -61,14 +61,13 @@ | |||
61 | fi | 61 | fi |
62 | ''; | 62 | ''; |
63 | }; | 63 | }; |
64 | deployment.keys."secrets.tar" = { | 64 | system.extraDependencies = [ secrets ]; |
65 | deployment.secrets."secrets.tar" = { | ||
66 | source = "${secrets}"; | ||
67 | destination = "/run/keys/secrets.tar"; | ||
68 | owner.user = "root"; | ||
69 | owner.group = "root"; | ||
65 | permissions = "0400"; | 70 | permissions = "0400"; |
66 | # keyFile below is not evaluated at build time by nixops, so the | ||
67 | # `secrets` path doesn’t necessarily exist when uploading the | ||
68 | # keys, and nixops is unhappy. | ||
69 | user = "root${builtins.substring 10000 1 secrets}"; | ||
70 | group = "root"; | ||
71 | keyFile = "${secrets}"; | ||
72 | }; | 71 | }; |
73 | }; | 72 | }; |
74 | } | 73 | } |