difftreelog
feat optional private secret part
in: trunk
2 files changed
modules/fleet/secrets.nixdiffbeforeafterboth--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -25,8 +25,9 @@
default = null;
};
secret = mkOption {
- type = str;
+ type = nullOr str;
description = "Encrypted secret data";
+ default = null;
};
};
};
@@ -78,7 +79,7 @@
{
secrets = (mapAttrs cleanupSecret
(filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)
- ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or {}));
+ ) // (mapAttrs cleanupSecret (config.hostSecrets.${host} or { }));
}
];
});
modules/nixos/secrets.nixdiffbeforeafterboth3 sysConfig = config;6 sysConfig = config;4 secretType = types.submodule ({ config, ... }: {7 secretType = types.submodule ({ config, ... }: {5 config = {8 config = {6 path = mkOptionDefault (if config.secret == null then (error "secret is not set") else "/run/secrets/${config._module.args.name}");9 path = mkOptionDefault "/run/secrets/${config._module.args.name}";7 publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);10 publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);8 };11 };9 options = {12 options = {353836 path = mkOption {39 path = mkOption {37 type = types.str;40 type = types.str;38 readOnly = true;39 description = "Path to the decrypted secret";41 description = "Path to the decrypted secret";40 };42 };41 publicPath = mkOption {43 publicPath = mkOption {42 type = types.package;44 type = types.package;43 readOnly = true;44 description = "Path to the public part of secret";45 description = "Path to the public part of secret";45 };46 };46 };47 };