custom/modules/secretstore: sync with wigfrid version

custom/modules/secrets-store.nix

@@ -5,6 +5,8 @@ with lib;
 let
   cfg = config.security.runtimeSecrets;
 
+  secretsStore = "/var/secrets";
+
   # A recursive attrset of submodule
   storeType = types.attrsOf (types.submodule
     { freeformType = storeType;
@@ -66,7 +68,7 @@ let
   storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
     (names: secret:
       if isFile secret
-        then "/var/secrets/${concatStringsSep "-" names}"
+        then "${secretsStore}/${concatStringsSep "-" names}"
         else secret) cfg;
 
 in {
@@ -77,7 +79,7 @@ in {
       Definitions of runtime secrets. This is a freeform attributes
       set: it can contain arbitrarily nested sets of secrets.
       Secrets are paths to be copied into the secrets store
-      (/var/secrets) with proper permission and owenership.
+      (${secretsStore}) with proper permission and ownership.
     '';
   };
 
@@ -109,13 +111,13 @@ in {
   config.system.activationScripts.secrets-copy = {
     deps = [ ];
     text =
-      ''
+    ''
       secret=${(head secretFiles).value.path}
       if test -f "$secret"; then
         echo copying secrets...
-        rm -rf /var/secrets
+        rm -rf ${secretsStore}
         ${concatMapStrings (f: ''
-          install -m ${f.value.mode} -D ${f.value.path} /var/secrets/${f.name}
+          install -m ${f.value.mode} -D ${f.value.path} ${secretsStore}/${f.name}
         '') secretFiles}
       fi
     '';
@@ -129,7 +131,7 @@ in {
     ''
       echo setting secrets ownership...
       ${concatMapStrings (f: ''
-        chown ${f.value.user}:${f.value.group} /var/secrets/${f.name}
+        chown ${f.value.user}:${f.value.group} ${secretsStore}/${f.name}
       '') secretFiles}
     '';
   };