makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

krebs.secret: init

Browse source
This commit is contained in:
tv 2016-02-21 05:27:37 +01:00
parent d8d39f5c4a
commit b5fbca3a36
3 changed files with 53 additions and 0 deletions

1
krebs/3modules/default.nix
View file

@ -28,6 +28,7 @@ let
./realwallpaper.nix
./retiolum-bootstrap.nix
./retiolum.nix
./secret.nix
./setuid.nix
./tinc_graphs.nix
./urlwatch.nix

39
krebs/3modules/secret.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
cfg = config.krebs.secret;
in {
options.krebs.secret = {
files = mkOption {
type = with types; attrsOf secret-file;
default = {};
};
};
config = lib.mkIf (cfg.files != {}) {
systemd.services.secret = let
# TODO fail if two files have the same path but differ otherwise
files = unique (map (flip removeAttrs ["_module"])
(attrValues cfg.files));
in {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
SyslogIdentifier = "secret";
ExecStart = pkgs.writeDash "install-secret-files" ''
exit_code=0
${concatMapStringsSep "\n" (file: ''
${pkgs.coreutils}/bin/install \
-D \
--compare \
--verbose \
--mode=${shell.escape file.mode} \
--owner=${shell.escape file.owner-name} \
--group=${shell.escape file.group-name} \
${shell.escape file.source-path} \
${shell.escape file.path} \
|| exit_code=1
'') files}
exit $exit_code
'';
};
};
};
}

13
krebs/4lib/types.nix
View file

@ -143,6 +143,19 @@ types // rec {
merge = mergeOneOption;
};
secret-file = submodule ({ config, ... }: {
options = {
path = mkOption { type = str; };
mode = mkOption { type = str; default = "0400"; };
owner-name = mkOption { type = str; default = "root"; };
group-name = mkOption { type = str; default = "root"; };
source-path = mkOption {
type = str;
default = toString <secrets> + "/${config._module.args.name}";
};
};
});
suffixed-str = suffs:
mkOptionType {
name = "string suffixed by ${concatStringsSep ", " suffs}";