From 44742a43dac86a79274486a9b73a349c5d4ec631 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 25 Apr 2019 01:35:25 +0200 Subject: Start building a secrets.tar to reduce upload time for nixops --- nixops/eldiron.nix | 1 + nixops/modules/secrets/default.nix | 68 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 nixops/modules/secrets/default.nix (limited to 'nixops') diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 5e0227d..a85b9de 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix @@ -43,6 +43,7 @@ ./modules/irc ./modules/buildbot ./modules/dns + ./modules/secrets ]; services.myGitolite.enable = true; services.myDatabases.enable = true; diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix new file mode 100644 index 0000000..7096e48 --- /dev/null +++ b/nixops/modules/secrets/default.nix @@ -0,0 +1,68 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +{ + options.mySecrets = { + keys = lib.mkOption { + type = lib.types.listOf lib.types.unspecified; + default = {}; + description = "Keys to upload to server"; + }; + }; + config = let + oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys; + keys = config.mySecrets.keys; + empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; + dumpOldKey = k: v: let + dest = if v.destDir == "/run/keys" + then k + else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k; + in '' + mkdir -p secrets/$(dirname ${dest}) + echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest} + cat >> mods < secrets/${v.dest} + cat >> mods < /var/secrets/currentSecrets + find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; + fi + fi + ''; + }; + deployment.keys."secrets.tar" = { + permissions = "0400"; + # keyFile below is not evaluated at build time by nixops, so the + # `secrets` path doesn’t necessarily exist when uploading the + # keys, and nixops is unhappy. + user = "root${builtins.substring 10000 1 secrets}"; + group = "root"; + keyFile = "${secrets}"; + }; + }; +} -- cgit v1.2.3