From cfbf058adcba308ba8b6b1e21650d281ba34a368 Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Wed, 17 Feb 2021 20:02:02 +0100
Subject: [PATCH] secrets-store: make secrets store permanent

---
 custom/modules/secrets-store.nix | 50 ++++++++++++++------------------
 1 file changed, 22 insertions(+), 28 deletions(-)

diff --git a/custom/modules/secrets-store.nix b/custom/modules/secrets-store.nix
index 14f3e99..1d3cabd 100644
--- a/custom/modules/secrets-store.nix
+++ b/custom/modules/secrets-store.nix
@@ -49,23 +49,24 @@ let
       let index = name: value:
         if isAttrs value && cond value
           then recurse (path ++ [name]) value
-          else singleton { path = path ++ [name]; value = value; };
+          else singleton { loc = path ++ [name]; value = value; };
       in concatLists (mapAttrsToList index set);
     in recurse [] set;
 
   isFile = v: isAttrs v && v.path != "";
 
   # Secret files flattened to an index. This is needed
-  # to iterate over the set.
+  # to iterate over the set. It contains: {name, path, value}
   secretFiles =
-    filter (pair: isFile pair.value)
-    (attrsToIndex (v: !isFile v) cfg);
+    (map (x: x // { name = concatStringsSep "-" x.loc; })
+      (filter (pair: isFile pair.value)
+        (attrsToIndex (v: !isFile v) cfg)));
 
   # Secrets with paths rewritten to the store location
   storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
     (names: secret:
       if isFile secret
-        then "/run/secrets/${concatStringsSep "-" names}"
+        then "/var/secrets/${concatStringsSep "-" names}"
         else secret) cfg;
 
 in {
@@ -76,7 +77,7 @@ in {
       Definitions of runtime secrets. This is a freeform attributes
       set: it can contain arbitrarily nested sets of secrets.
       Secrets are paths to be copied into the secrets store
-      (/run/secrets) with proper permission and owenership.
+      (/var/secrets) with proper permission and owenership.
     '';
   };
 
@@ -108,36 +109,29 @@ in {
   config.system.activationScripts.secrets-copy = {
     deps = [ ];
     text =
-    ''
-      echo setting up secrets store...
-      rm -rf /run/secrets
-    '' + concatMapStrings (pair:
-    let
-      name = "${concatStringsSep "-" pair.path}";
-      secret = pair.value;
-    in
       ''
-        # Install secret ${name}
-        install -m ${secret.mode} -D ${secret.path} /run/secrets/${name}
-      '') secretFiles;
+      secret=${(head secretFiles).value.path}
+      if test -f "$secret"; then
+        echo copying secrets...
+        rm -rf /var/secrets
+        ${concatMapStrings (f: ''
+          install -m ${f.value.mode} -D ${f.value.path} /var/secrets/${f.name}
+        '') secretFiles}
+      fi
+    '';
   };
 
   # Set secrets ownership, later because the
   # `user` activation script hasn't run yet.
   config.system.activationScripts.secrets-own = {
-    deps = [ "secrets-copy" "users" ];
+    deps = [ "users" "groups" ];
     text =
     ''
-    echo setting secrets ownership...
-    '' + concatMapStrings (pair:
-    let
-      name = "${concatStringsSep "-" pair.path}";
-      secret = pair.value;
-    in
-      ''
-        # Set ownership of ${name}
-        chown ${secret.user}:${secret.group} /run/secrets/${name}
-      '') secretFiles;
+      echo setting secrets ownership...
+      ${concatMapStrings (f: ''
+        chown ${f.value.user}:${f.value.group} /var/secrets/${f.name}
+      '') secretFiles}
+    '';
   };
 
 }