1 files changed, 17 insertions, 6 deletions

diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 0d5b51f76..aa7b7a9f5 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -76,7 +76,6 @@ types // rec {
         default =
           optional (config.ip4 != null) config.ip4.addr ++
           optional (config.ip6 != null) config.ip6.addr;
-        readOnly = true;
       };
       aliases = mkOption {
         # TODO nonEmptyListOf hostname
@@ -162,11 +161,21 @@ types // rec {
 
   secret-file = submodule ({ config, ... }: {
     options = {
-      path = mkOption { type = str; };
-      mode = mkOption { type = file-mode; default = "0400"; };
+      name = mkOption {
+        type = filename;
+        default = config._module.args.name;
+      };
+      path = mkOption {
+        type = absolute-pathname;
+        default = "/run/keys/${config.name}";
+      };
+      mode = mkOption {
+        type = file-mode;
+        default = "0400";
+      };
       owner = mkOption {
         type = user;
-        default = config.krebs.users.root;
+        default = users.root;
       };
       group-name = mkOption {
         type = str;
@@ -174,7 +183,7 @@ types // rec {
       };
       source-path = mkOption {
         type = str;
-        default = toString <secrets> + "/${config._module.args.name}";
+        default = toString <secrets> + "/${config.name}";
       };
     };
   });
@@ -342,7 +351,9 @@ types // rec {
   absolute-pathname = mkOptionType {
     name = "POSIX absolute pathname";
     check = x: let xs = splitString "/" x; xa = head xs; in
-      isString x && (xa == "/" || (xa == "" && all filename.check (tail xs)));
+         isString x
+      && stringLength x > 0
+      && (xa == "/" || (xa == "" && all filename.check (tail xs)));
     merge = mergeOneOption;
   };