aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIgor Pashev <pashev.igor@gmail.com>2016-10-13 15:54:56 +0300
committerIgor Pashev <pashev.igor@gmail.com>2016-10-13 15:58:57 +0300
commitb24ae5d345aa84bdba20efbb4a14ddfc9bf39873 (patch)
tree9260c82e8d0842ba96b7ded18380a6942511c322
parentce9b13535462943f60081445797fc7ba24a0c0ce (diff)
downloadnixsap-b24ae5d345aa84bdba20efbb4a14ddfc9bf39873.tar.gz
Added nixsap.deployment.keyStore
-rw-r--r--modules/deployment/keyrings.nix32
1 files changed, 25 insertions, 7 deletions
diff --git a/modules/deployment/keyrings.nix b/modules/deployment/keyrings.nix
index 6230107..e5d0110 100644
--- a/modules/deployment/keyrings.nix
+++ b/modules/deployment/keyrings.nix
@@ -5,8 +5,9 @@ let
inherit (builtins)
attrNames baseNameOf head match pathExists readFile toString ;
inherit (lib)
- foldl genAttrs mapAttrsToList mkOption optionalAttrs types ;
- inherit (types)
+ filter foldl genAttrs hasPrefix mapAttrsToList mkOption
+ optionalAttrs unique ;
+ inherit (lib.types)
attrsOf listOf nullOr path ;
allusers = config.users.users;
@@ -26,19 +27,35 @@ in {
options.nixsap.deployment = {
secrets = mkOption {
description = ''
- Directory with the secrets. If not specified,
+ Directory with the secrets on the deploy machine. If not specified,
each key will be an empty file.
'';
type = nullOr path;
default = null;
example = "<secrets>";
};
+
+ keyStore = mkOption {
+ description = ''
+ Directory with the keys on the target machine. NixOps uses /run/keys,
+ and this is default. If you use another deployment tool, you would
+ like to set it to something else.
+ '';
+ type = path;
+ default = "/run/keys";
+ example = "/root/keys";
+ };
+
keyrings = mkOption {
- type = attrsOf (listOf path);
+ type = attrsOf (listOf (nullOr path));
description = ''
Binds keys to a user. It's possible to share the same key between
- multiple users, of course by different names: "/run/keys/foo" and
- "/run/keys/foo[bar]" will use the same secret file "foo".
+ multiple users, of course by different names: "/run/keys/foo"
+ and "/run/keys/foo[bar]" will use the same secret file "foo". Any
+ file whose path does not start with <nixsap.deployment.keyStore> is
+ deliberately ignored. E. i. you can pass any file names, and nixsap
+ will pick up keys for you. For convenience, it it allowed to pass
+ null values, which are filtered-out as well.
'';
default = {};
example = { mysqlbackup = [ "/run/keys/s3cmd.cfg" ];
@@ -54,7 +71,8 @@ in {
deployment.keys = foldl (a: b: a//b) {} (
mapAttrsToList (name: keys:
- genAttrs (map baseNameOf keys)
+ let realkeys = unique (filter (n: n != null && hasPrefix cfg.keyStore n) keys);
+ in genAttrs (map baseNameOf realkeys)
(key: { text = read key;
user = toString allusers.${name}.uid;
})