git.delta.rocks / jrsonnet / refs/commits / cf283066e9aa

difftreelog

feat optional private secret part

Yaroslav Bolyukin2021-11-20parent: #62fbb3d.patch.diff
in: trunk

2 files changed

modifiedmodules/fleet/secrets.nixdiffbeforeafterboth
before · modules/fleet/secrets.nix
1{ lib, fleet, config, ... }: with lib;2let3  sharedSecret = with types; {4    options = {5      owners = mkOption {6        type = listOf str;7        description = ''8          List of hosts to encrypt secret for910          Secrets would be decrypted and stored to /run/secrets/$\{name} on owners11        '';12      };13      generator = mkOption {14        type = package;15        description = "Derivation to execute for secret generation";16      };17      expireIn = mkOption {18        type = nullOr int;19        description = "Time in hours, in which this secret should be regenerated";20        default = null;21      };22      public = mkOption {23        type = nullOr str;24        description = "Secret public data";25        default = null;26      };27      secret = mkOption {28        type = str;29        description = "Encrypted secret data";30      };31    };32  };33  hostSecret = with types; {34    options = {35      generator = mkOption {36        type = package;37        description = "Derivation to execute for secret generation";38      };39      expireIn = mkOption {40        type = nullOr int;41        description = "Time in hours, in which this secret should be regenerated";42        default = null;43      };44      public = mkOption {45        type = nullOr str;46        description = "Secret public data";47        default = null;48      };49      secret = mkOption {50        type = str;51        description = "Encrypted secret data";52      };53    };54  };55in56{57  options = with types; {58    sharedSecrets = mkOption {59      type = attrsOf (submodule sharedSecret);60      default = { };61      description = "Shared secrets";62    };63    hostSecrets = mkOption {64      type = attrsOf (attrsOf (submodule hostSecret));65      default = { };66      description = "Host secrets";67    };68  };69  config = with fleet; {70    hosts = hostsToAttrs (host: {71      modules =72        let73          cleanupSecret = (secretName: v: {74            inherit (v) public secret;75          });76        in77        [78          {79            secrets = (mapAttrs cleanupSecret80              (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)81            ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or {}));82          }83        ];84    });85  };86}
after · modules/fleet/secrets.nix
1{ lib, fleet, config, ... }: with lib;2let3  sharedSecret = with types; {4    options = {5      owners = mkOption {6        type = listOf str;7        description = ''8          List of hosts to encrypt secret for910          Secrets would be decrypted and stored to /run/secrets/$\{name} on owners11        '';12      };13      generator = mkOption {14        type = package;15        description = "Derivation to execute for secret generation";16      };17      expireIn = mkOption {18        type = nullOr int;19        description = "Time in hours, in which this secret should be regenerated";20        default = null;21      };22      public = mkOption {23        type = nullOr str;24        description = "Secret public data";25        default = null;26      };27      secret = mkOption {28        type = nullOr str;29        description = "Encrypted secret data";30        default = null;31      };32    };33  };34  hostSecret = with types; {35    options = {36      generator = mkOption {37        type = package;38        description = "Derivation to execute for secret generation";39      };40      expireIn = mkOption {41        type = nullOr int;42        description = "Time in hours, in which this secret should be regenerated";43        default = null;44      };45      public = mkOption {46        type = nullOr str;47        description = "Secret public data";48        default = null;49      };50      secret = mkOption {51        type = str;52        description = "Encrypted secret data";53      };54    };55  };56in57{58  options = with types; {59    sharedSecrets = mkOption {60      type = attrsOf (submodule sharedSecret);61      default = { };62      description = "Shared secrets";63    };64    hostSecrets = mkOption {65      type = attrsOf (attrsOf (submodule hostSecret));66      default = { };67      description = "Host secrets";68    };69  };70  config = with fleet; {71    hosts = hostsToAttrs (host: {72      modules =73        let74          cleanupSecret = (secretName: v: {75            inherit (v) public secret;76          });77        in78        [79          {80            secrets = (mapAttrs cleanupSecret81              (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)82            ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));83          }84        ];85    });86  };87}
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -1,9 +1,12 @@
-{ lib, config, pkgs, ... }: with lib;
+{ lib, config, pkgs, ... }:
+
+with lib;
+
 let
   sysConfig = config;
   secretType = types.submodule ({ config, ... }: {
     config = {
-      path = mkOptionDefault (if config.secret == null then (error "secret is not set") else "/run/secrets/${config._module.args.name}");
+      path = mkOptionDefault "/run/secrets/${config._module.args.name}";
       publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);
     };
     options = {
@@ -35,12 +38,10 @@
 
       path = mkOption {
         type = types.str;
-        readOnly = true;
         description = "Path to the decrypted secret";
       };
       publicPath = mkOption {
         type = types.package;
-        readOnly = true;
         description = "Path to the public part of secret";
       };
     };