-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecrets.nix
52 lines (51 loc) · 1.41 KB
/
secrets.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{ config, lib, ... }:
with builtins;
with lib;
{
options.keys = mkOption {
type = types.attrsOf (
types.submodule ({
options = {
services = mkOption {
type = types.listOf types.str;
default = [ ];
};
user = mkOption {
type = types.str;
default = "root";
};
group = mkOption {
type = types.str;
default = "root";
};
permissions = mkOption {
type = types.str;
default = "0400";
};
};
})
);
};
config = {
deployment.keys = mapAttrs (name: value: {
keyFile = ./secrets + "/${name}";
user = value.user;
group = value.group;
permissions = value.permissions;
uploadAt = "post-activation";
}) config.keys;
systemd.services =
let
servicesOfSecret =
name: value: listToAttrs (map (service: nameValuePair service name) value.services);
keys = mapAttrs servicesOfSecret config.keys;
filteredKeys = filterAttrs (name: value: value != { }) keys;
serviceKeyPairs = mapAttrsToList (name: value: value) filteredKeys;
services = foldl' (a: b: a // b) { } (flatten serviceKeyPairs);
in
mapAttrs (service: secret: {
after = [ "${secret}-key.service" ];
requires = [ "${secret}-key.service" ];
}) services;
};
}