custom/modules/secretstore: sync with wigfrid version
This commit is contained in:
parent
ca994395ba
commit
4e7ed51256
@ -5,6 +5,8 @@ with lib;
|
||||
let
|
||||
cfg = config.security.runtimeSecrets;
|
||||
|
||||
secretsStore = "/var/secrets";
|
||||
|
||||
# A recursive attrset of submodule
|
||||
storeType = types.attrsOf (types.submodule
|
||||
{ freeformType = storeType;
|
||||
@ -66,7 +68,7 @@ let
|
||||
storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
|
||||
(names: secret:
|
||||
if isFile secret
|
||||
then "/var/secrets/${concatStringsSep "-" names}"
|
||||
then "${secretsStore}/${concatStringsSep "-" names}"
|
||||
else secret) cfg;
|
||||
|
||||
in {
|
||||
@ -77,7 +79,7 @@ in {
|
||||
Definitions of runtime secrets. This is a freeform attributes
|
||||
set: it can contain arbitrarily nested sets of secrets.
|
||||
Secrets are paths to be copied into the secrets store
|
||||
(/var/secrets) with proper permission and owenership.
|
||||
(${secretsStore}) with proper permission and ownership.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -113,9 +115,9 @@ in {
|
||||
secret=${(head secretFiles).value.path}
|
||||
if test -f "$secret"; then
|
||||
echo copying secrets...
|
||||
rm -rf /var/secrets
|
||||
rm -rf ${secretsStore}
|
||||
${concatMapStrings (f: ''
|
||||
install -m ${f.value.mode} -D ${f.value.path} /var/secrets/${f.name}
|
||||
install -m ${f.value.mode} -D ${f.value.path} ${secretsStore}/${f.name}
|
||||
'') secretFiles}
|
||||
fi
|
||||
'';
|
||||
@ -129,7 +131,7 @@ in {
|
||||
''
|
||||
echo setting secrets ownership...
|
||||
${concatMapStrings (f: ''
|
||||
chown ${f.value.user}:${f.value.group} /var/secrets/${f.name}
|
||||
chown ${f.value.user}:${f.value.group} ${secretsStore}/${f.name}
|
||||
'') secretFiles}
|
||||
'';
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user