krebs.secret: init
This commit is contained in:
tv
parent
d8d39f5c4a
commit
b5fbca3a36
@ -28,6 +28,7 @@ let
|
|||||||
./realwallpaper.nix
|
./realwallpaper.nix
|
||||||
./retiolum-bootstrap.nix
|
./retiolum-bootstrap.nix
|
||||||
./retiolum.nix
|
./retiolum.nix
|
||||||
|
./secret.nix
|
||||||
./setuid.nix
|
./setuid.nix
|
||||||
./tinc_graphs.nix
|
./tinc_graphs.nix
|
||||||
./urlwatch.nix
|
./urlwatch.nix
|
||||||
|
|||||||
39
krebs/3modules/secret.nix
Normal file
39
krebs/3modules/secret.nix
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
|
||||||
|
cfg = config.krebs.secret;
|
||||||
|
in {
|
||||||
|
options.krebs.secret = {
|
||||||
|
files = mkOption {
|
||||||
|
type = with types; attrsOf secret-file;
|
||||||
|
default = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = lib.mkIf (cfg.files != {}) {
|
||||||
|
systemd.services.secret = let
|
||||||
|
# TODO fail if two files have the same path but differ otherwise
|
||||||
|
files = unique (map (flip removeAttrs ["_module"])
|
||||||
|
(attrValues cfg.files));
|
||||||
|
in {
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = "yes";
|
||||||
|
SyslogIdentifier = "secret";
|
||||||
|
ExecStart = pkgs.writeDash "install-secret-files" ''
|
||||||
|
exit_code=0
|
||||||
|
${concatMapStringsSep "\n" (file: ''
|
||||||
|
${pkgs.coreutils}/bin/install \
|
||||||
|
-D \
|
||||||
|
--compare \
|
||||||
|
--verbose \
|
||||||
|
--mode=${shell.escape file.mode} \
|
||||||
|
--owner=${shell.escape file.owner-name} \
|
||||||
|
--group=${shell.escape file.group-name} \
|
||||||
|
${shell.escape file.source-path} \
|
||||||
|
${shell.escape file.path} \
|
||||||
|
|| exit_code=1
|
||||||
|
'') files}
|
||||||
|
exit $exit_code
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@ -143,6 +143,19 @@ types // rec {
|
|||||||
merge = mergeOneOption;
|
merge = mergeOneOption;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
secret-file = submodule ({ config, ... }: {
|
||||||
|
options = {
|
||||||
|
path = mkOption { type = str; };
|
||||||
|
mode = mkOption { type = str; default = "0400"; };
|
||||||
|
owner-name = mkOption { type = str; default = "root"; };
|
||||||
|
group-name = mkOption { type = str; default = "root"; };
|
||||||
|
source-path = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = toString <secrets> + "/${config._module.args.name}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
suffixed-str = suffs:
|
suffixed-str = suffs:
|
||||||
mkOptionType {
|
mkOptionType {
|
||||||
name = "string suffixed by ${concatStringsSep ", " suffs}";
|
name = "string suffixed by ${concatStringsSep ", " suffs}";
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user