custom/modules/secretstore: sync with wigfrid version

This commit is contained in:
Michele Guerini Rocco 2022-08-10 16:57:56 +02:00
parent ca994395ba
commit 4e7ed51256
Signed by: rnhmjoj
GPG Key ID: BFBAF4C975F76450

View File

@ -5,6 +5,8 @@ with lib;
let
cfg = config.security.runtimeSecrets;
secretsStore = "/var/secrets";
# A recursive attrset of submodule
storeType = types.attrsOf (types.submodule
{ freeformType = storeType;
@ -66,7 +68,7 @@ let
storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
(names: secret:
if isFile secret
then "/var/secrets/${concatStringsSep "-" names}"
then "${secretsStore}/${concatStringsSep "-" names}"
else secret) cfg;
in {
@ -77,7 +79,7 @@ in {
Definitions of runtime secrets. This is a freeform attributes
set: it can contain arbitrarily nested sets of secrets.
Secrets are paths to be copied into the secrets store
(/var/secrets) with proper permission and owenership.
(${secretsStore}) with proper permission and ownership.
'';
};
@ -109,13 +111,13 @@ in {
config.system.activationScripts.secrets-copy = {
deps = [ ];
text =
''
''
secret=${(head secretFiles).value.path}
if test -f "$secret"; then
echo copying secrets...
rm -rf /var/secrets
rm -rf ${secretsStore}
${concatMapStrings (f: ''
install -m ${f.value.mode} -D ${f.value.path} /var/secrets/${f.name}
install -m ${f.value.mode} -D ${f.value.path} ${secretsStore}/${f.name}
'') secretFiles}
fi
'';
@ -129,7 +131,7 @@ in {
''
echo setting secrets ownership...
${concatMapStrings (f: ''
chown ${f.value.user}:${f.value.group} /var/secrets/${f.name}
chown ${f.value.user}:${f.value.group} ${secretsStore}/${f.name}
'') secretFiles}
'';
};