diff options
-rw-r--r-- | modules/deployment/keyrings.nix | 32 |
1 files changed, 25 insertions, 7 deletions
diff --git a/modules/deployment/keyrings.nix b/modules/deployment/keyrings.nix index 6230107..e5d0110 100644 --- a/modules/deployment/keyrings.nix +++ b/modules/deployment/keyrings.nix @@ -5,8 +5,9 @@ let inherit (builtins) attrNames baseNameOf head match pathExists readFile toString ; inherit (lib) - foldl genAttrs mapAttrsToList mkOption optionalAttrs types ; - inherit (types) + filter foldl genAttrs hasPrefix mapAttrsToList mkOption + optionalAttrs unique ; + inherit (lib.types) attrsOf listOf nullOr path ; allusers = config.users.users; @@ -26,19 +27,35 @@ in { options.nixsap.deployment = { secrets = mkOption { description = '' - Directory with the secrets. If not specified, + Directory with the secrets on the deploy machine. If not specified, each key will be an empty file. ''; type = nullOr path; default = null; example = "<secrets>"; }; + + keyStore = mkOption { + description = '' + Directory with the keys on the target machine. NixOps uses /run/keys, + and this is default. If you use another deployment tool, you would + like to set it to something else. + ''; + type = path; + default = "/run/keys"; + example = "/root/keys"; + }; + keyrings = mkOption { - type = attrsOf (listOf path); + type = attrsOf (listOf (nullOr path)); description = '' Binds keys to a user. It's possible to share the same key between - multiple users, of course by different names: "/run/keys/foo" and - "/run/keys/foo[bar]" will use the same secret file "foo". + multiple users, of course by different names: "/run/keys/foo" + and "/run/keys/foo[bar]" will use the same secret file "foo". Any + file whose path does not start with <nixsap.deployment.keyStore> is + deliberately ignored. E. i. you can pass any file names, and nixsap + will pick up keys for you. For convenience, it it allowed to pass + null values, which are filtered-out as well. ''; default = {}; example = { mysqlbackup = [ "/run/keys/s3cmd.cfg" ]; @@ -54,7 +71,8 @@ in { deployment.keys = foldl (a: b: a//b) {} ( mapAttrsToList (name: keys: - genAttrs (map baseNameOf keys) + let realkeys = unique (filter (n: n != null && hasPrefix cfg.keyStore n) keys); + in genAttrs (map baseNameOf realkeys) (key: { text = read key; user = toString allusers.${name}.uid; }) |