Created
October 18, 2022 09:03
-
-
Save lheckemann/3f4f3ce05521f4ace32bddce0b66e189 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { config, pkgs, lib, ... }: | |
| let basePath = ../secrets; in | |
| { | |
| options.secrets = with lib; with types; mkOption { | |
| type = attrsOf (submodule ({name, ...}: { | |
| options = { | |
| user = mkOption { | |
| type = str; | |
| description = "Owner of the secret"; | |
| default = "root"; | |
| }; | |
| group = mkOption { | |
| type = str; | |
| description = "Group the secret should be owned by"; | |
| default = "root"; | |
| }; | |
| mode = mkOption { | |
| type = str; | |
| description = "Permissions of the secret"; | |
| default = "0400"; | |
| }; | |
| uploadAt = mkOption { | |
| type = types.enum ["pre-activation" "post-activation"]; | |
| default = "pre-activation"; | |
| }; | |
| path = mkOption { | |
| readOnly = true; | |
| }; | |
| shared = mkOption { | |
| type = bool; | |
| description = "If true, this secret is fetched from the 'shared' directory instead of using the hostname."; | |
| default = false; | |
| }; | |
| }; | |
| config.path = "/var/secrets/${name}"; | |
| })); | |
| }; | |
| config = { | |
| secrets = {}; | |
| deployment.keys = lib.flip lib.mapAttrs config.secrets (name: value: { | |
| keyCommand = ["gpg" "--decrypt" ("${basePath + (if value.shared then "/shared" else "/" + config.networking.hostName)}/${name}.gpg")]; | |
| inherit (value) user group uploadAt; | |
| permissions = value.mode; | |
| destDir = "/var/secrets"; | |
| }); | |
| systemd.tmpfiles.rules = ['' | |
| d /var/secrets 0750 root keys | |
| '']; | |
| }; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment