secrets-store: make secrets store permanent

2021-02-17 20:02:02 +01:00 · 2021-02-17 20:02:02 +01:00 · cfbf058adc
commit cfbf058adc
parent 211bbb657a
1 changed files with 22 additions and 28 deletions
--- a/custom/modules/secrets-store.nix
+++ b/custom/modules/secrets-store.nix
@ -49,23 +49,24 @@ let
      let index = name: value:
        if isAttrs value && cond value
          then recurse (path ++ [name]) value
-          else singleton { path = path ++ [name]; value = value; };
+          else singleton { loc = path ++ [name]; value = value; };
      in concatLists (mapAttrsToList index set);
    in recurse [] set;
  isFile = v: isAttrs v && v.path != "";
  # Secret files flattened to an index. This is needed
-  # to iterate over the set.
+  # to iterate over the set. It contains: {name, path, value}
  secretFiles =
-    filter (pair: isFile pair.value)
+    (map (x: x // { name = concatStringsSep "-" x.loc; })
-    (attrsToIndex (v: !isFile v) cfg);
+      (filter (pair: isFile pair.value)
        (attrsToIndex (v: !isFile v) cfg)));
  # Secrets with paths rewritten to the store location
  storedSecrets = mapAttrsRecursiveCond (v: !isFile v)
    (names: secret:
      if isFile secret
-        then "/run/secrets/${concatStringsSep "-" names}"
+        then "/var/secrets/${concatStringsSep "-" names}"
        else secret) cfg;
 in {
@ -76,7 +77,7 @@ in {
      Definitions of runtime secrets. This is a freeform attributes
      set: it can contain arbitrarily nested sets of secrets.
      Secrets are paths to be copied into the secrets store
-      (/run/secrets) with proper permission and owenership.
+      (/var/secrets) with proper permission and owenership.
    '';
  };
@ -108,36 +109,29 @@ in {
  config.system.activationScripts.secrets-copy = {
    deps = [ ];
    text =
    ''
      echo setting up secrets store...
      rm -rf /run/secrets
    '' + concatMapStrings (pair:
    let
      name = "${concatStringsSep "-" pair.path}";
      secret = pair.value;
    in
      ''
-        # Install secret ${name}
+      secret=${(head secretFiles).value.path}
-        install -m ${secret.mode} -D ${secret.path} /run/secrets/${name}
+      if test -f "$secret"; then
-      '') secretFiles;
+        echo copying secrets...
        rm -rf /var/secrets
        ${concatMapStrings (f: ''
          install -m ${f.value.mode} -D ${f.value.path} /var/secrets/${f.name}
        '') secretFiles}
      fi
    '';
  };
  # Set secrets ownership, later because the
  # `user` activation script hasn't run yet.
  config.system.activationScripts.secrets-own = {
-    deps = [ "secrets-copy" "users" ];
+    deps = [ "users" "groups" ];
    text =
    ''
-    echo setting secrets ownership...
+      echo setting secrets ownership...
-    '' + concatMapStrings (pair:
+      ${concatMapStrings (f: ''
-    let
+        chown ${f.value.user}:${f.value.group} /var/secrets/${f.name}
-      name = "${concatStringsSep "-" pair.path}";
+      '') secretFiles}
-      secret = pair.value;
+    '';
    in
      ''
        # Set ownership of ${name}
        chown ${secret.user}:${secret.group} /run/secrets/${name}
      '') secretFiles;
  };
 }