Added nixsap.deployment.keyStore

1 files changed, 25 insertions, 7 deletions

diff --git a/modules/deployment/keyrings.nix b/modules/deployment/keyrings.nix
index 6230107..e5d0110 100644
--- a/modules/deployment/keyrings.nix
+++ b/modules/deployment/keyrings.nix
@@ -5,8 +5,9 @@ let
   inherit (builtins)
     attrNames baseNameOf head match pathExists readFile toString ;
   inherit (lib)
-    foldl genAttrs mapAttrsToList mkOption optionalAttrs types ;
-  inherit (types)
+    filter foldl genAttrs hasPrefix mapAttrsToList mkOption
+    optionalAttrs unique ;
+  inherit (lib.types)
     attrsOf listOf nullOr path ;
 
   allusers = config.users.users;
@@ -26,19 +27,35 @@ in {
   options.nixsap.deployment = {
     secrets = mkOption {
       description = ''
-        Directory with the secrets. If not specified,
+        Directory with the secrets on the deploy machine. If not specified,
         each key will be an empty file.
         '';
       type = nullOr path;
       default = null;
       example = "<secrets>";
     };
+
+    keyStore = mkOption {
+      description = ''
+        Directory with the keys on the target machine.  NixOps uses /run/keys,
+        and this is default.  If you use another deployment tool, you would
+        like to set it to something else.
+        '';
+      type = path;
+      default = "/run/keys";
+      example = "/root/keys";
+    };
+
     keyrings = mkOption {
-      type = attrsOf (listOf path);
+      type = attrsOf (listOf (nullOr path));
       description = ''
         Binds keys to a user. It's possible to share the same key between
-        multiple users, of course by different names: "/run/keys/foo" and
-        "/run/keys/foo[bar]" will use the same secret file "foo".
+        multiple users, of course by different names: "/run/keys/foo"
+        and "/run/keys/foo[bar]" will use the same secret file "foo". Any
+        file whose path does not start with <nixsap.deployment.keyStore> is
+        deliberately ignored. E. i. you can pass any file names, and nixsap
+        will pick up keys for you. For convenience, it it allowed to pass
+        null values, which are filtered-out as well.
       '';
       default = {};
       example = { mysqlbackup = [ "/run/keys/s3cmd.cfg" ];
@@ -54,7 +71,8 @@ in {
 
     deployment.keys = foldl (a: b: a//b) {} (
       mapAttrsToList (name: keys:
-        genAttrs (map baseNameOf keys)
+        let realkeys = unique (filter (n: n != null && hasPrefix cfg.keyStore n) keys);
+        in genAttrs (map baseNameOf realkeys)
                  (key: { text = read key;
                          user = toString allusers.${name}.uid;
                        })