difftreelog
feat optional private secret part
in: trunk
2 files changed
modules/fleet/secrets.nixdiffbeforeafterboth--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -25,8 +25,9 @@
default = null;
};
secret = mkOption {
- type = str;
+ type = nullOr str;
description = "Encrypted secret data";
+ default = null;
};
};
};
@@ -78,7 +79,7 @@
{
secrets = (mapAttrs cleanupSecret
(filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)
- ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or {}));
+ ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));
}
];
});
modules/nixos/secrets.nixdiffbeforeafterboth1{ lib, config, pkgs, ... }: with lib;2let3 sysConfig = config;4 secretType = types.submodule ({ config, ... }: {5 config = {6 path = mkOptionDefault (if config.secret == null then (error "secret is not set") else "/run/secrets/${config._module.args.name}");7 publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);8 };9 options = {10 public = mkOption {11 type = types.nullOr types.str;12 description = "Secret public data";13 default = null;14 };15 secret = mkOption {16 type = types.nullOr types.str;17 description = "Encrypted secret data";18 default = null;19 };20 mode = mkOption {21 type = types.str;22 description = "Secret mode";23 default = "0440";24 };25 owner = mkOption {26 type = types.str;27 description = "Owner of the secret";28 default = "root";29 };30 group = mkOption {31 type = types.str;32 description = "Group of the secret";33 default = sysConfig.users.users.${config.owner}.group;34 };3536 path = mkOption {37 type = types.str;38 readOnly = true;39 description = "Path to the decrypted secret";40 };41 publicPath = mkOption {42 type = types.package;43 readOnly = true;44 description = "Path to the public part of secret";45 };46 };47 });48 secretsFile = pkgs.writeTextFile {49 name = "secrets.json";50 text = builtins.toJSON config.secrets;51 };52in53{54 options = {55 secrets = mkOption {56 type = types.attrsOf secretType;57 default = { };58 description = "Host-local secrets";59 };60 };61 config = {62 system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''63 1>&2 echo "setting up secrets"64 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}65 '';66 };67}1{ lib, config, pkgs, ... }:23with lib;45let6 sysConfig = config;7 secretType = types.submodule ({ config, ... }: {8 config = {9 path = mkOptionDefault "/run/secrets/${config._module.args.name}";10 publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);11 };12 options = {13 public = mkOption {14 type = types.nullOr types.str;15 description = "Secret public data";16 default = null;17 };18 secret = mkOption {19 type = types.nullOr types.str;20 description = "Encrypted secret data";21 default = null;22 };23 mode = mkOption {24 type = types.str;25 description = "Secret mode";26 default = "0440";27 };28 owner = mkOption {29 type = types.str;30 description = "Owner of the secret";31 default = "root";32 };33 group = mkOption {34 type = types.str;35 description = "Group of the secret";36 default = sysConfig.users.users.${config.owner}.group;37 };3839 path = mkOption {40 type = types.str;41 description = "Path to the decrypted secret";42 };43 publicPath = mkOption {44 type = types.package;45 description = "Path to the public part of secret";46 };47 };48 });49 secretsFile = pkgs.writeTextFile {50 name = "secrets.json";51 text = builtins.toJSON config.secrets;52 };53in54{55 options = {56 secrets = mkOption {57 type = types.attrsOf secretType;58 default = { };59 description = "Host-local secrets";60 };61 };62 config = {63 system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''64 1>&2 echo "setting up secrets"65 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}66 '';67 };68}