difftreelog
refactor! remove secret.path
in: trunk
BREAKING CHANGE: all .path usages should be switched to .secretPath
1 file changed
nixos/secrets.nixdiffbeforeafterboth1{ lib, config, pkgs, ... }:23with lib;45let6 sysConfig = config;7 secretType = types.submodule ({ config, ... }: {8 config = rec {9 path = warn "use .stableSecretPath instead of .path (at config.secrets.${config._module.args.name})" stableSecretPath;10 stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";11 secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";12 secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");1314 stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";15 publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";16 publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");17 };18 options = {19 public = mkOption {20 type = types.nullOr types.str;21 description = "Secret public data";22 default = null;23 };24 secret = mkOption {25 type = types.nullOr types.str;26 description = "Encrypted secret data";27 default = null;28 };29 mode = mkOption {30 type = types.str;31 description = "Secret mode";32 default = "0440";33 };34 owner = mkOption {35 type = types.str;36 description = "Owner of the secret";37 default = "root";38 };39 group = mkOption {40 type = types.str;41 description = "Group of the secret";42 default = sysConfig.users.users.${config.owner}.group;43 };4445 secretHash = mkOption {46 type = types.str;47 description = "Hash of .secret field";48 };49 publicHash = mkOption {50 type = types.str;51 description = "Hash of .public field";52 };5354 path = mkOption {55 type = types.str;56 description = "Path to the decrypted secret";57 };58 stableSecretPath = mkOption {59 type = types.str;60 description = """61 Use this, if target process supports re-reading of secret from disk,62 and doesn't needs to be restarted when secret is updated in file63 """;64 };65 secretPath = mkOption {66 type = types.str;67 description = "Path to decrypted secret, suffixed with contents hash";68 };6970 stablePublicPath = mkOption {71 type = types.str;72 description = """73 Use this, if target process supports re-reading of secret from disk,74 and doesn't needs to be restarted when secret is updated in file75 """;76 };77 publicPath = mkOption {78 type = types.str;79 description = "Path to the public part of secret";80 };81 };82 });83 secretsFile = pkgs.writeTextFile {84 name = "secrets.json";85 text = builtins.toJSON config.secrets;86 };87in88{89 options = {90 secrets = mkOption {91 type = types.attrsOf secretType;92 default = { };93 description = "Host-local secrets";94 };95 };96 config = {97 system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''98 1>&2 echo "setting up secrets"99 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}100 '';101 };102}1{ lib, config, pkgs, ... }:23with lib;45let6 sysConfig = config;7 secretType = types.submodule ({ config, ... }: {8 config = rec {9 stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";10 secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";11 secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");1213 stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";14 publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";15 publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");16 };17 options = {18 public = mkOption {19 type = types.nullOr types.str;20 description = "Secret public data";21 default = null;22 };23 secret = mkOption {24 type = types.nullOr types.str;25 description = "Encrypted secret data";26 default = null;27 };28 mode = mkOption {29 type = types.str;30 description = "Secret mode";31 default = "0440";32 };33 owner = mkOption {34 type = types.str;35 description = "Owner of the secret";36 default = "root";37 };38 group = mkOption {39 type = types.str;40 description = "Group of the secret";41 default = sysConfig.users.users.${config.owner}.group;42 };4344 secretHash = mkOption {45 type = types.str;46 description = "Hash of .secret field";47 };48 publicHash = mkOption {49 type = types.str;50 description = "Hash of .public field";51 };5253 stableSecretPath = mkOption {54 type = types.str;55 description = ''56 Use this, if target process supports re-reading of secret from disk,57 and doesn't needs to be restarted when secret is updated in file58 '';59 };60 secretPath = mkOption {61 type = types.str;62 description = "Path to decrypted secret, suffixed with contents hash";63 };6465 stablePublicPath = mkOption {66 type = types.str;67 description = ''68 Use this, if target process supports re-reading of secret from disk,69 and doesn't needs to be restarted when secret is updated in file70 '';71 };72 publicPath = mkOption {73 type = types.str;74 description = "Path to the public part of secret";75 };76 };77 });78 secretsFile = pkgs.writeTextFile {79 name = "secrets.json";80 text = builtins.toJSON config.secrets;81 };82in83{84 options = {85 secrets = mkOption {86 type = types.attrsOf secretType;87 default = { };88 description = "Host-local secrets";89 };90 };91 config = {92 system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''93 1>&2 echo "setting up secrets"94 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}95 '';96 };97}