From ebcabdbbc52934270abe6067659a23aa784abc72 Mon Sep 17 00:00:00 2001
From: Yaroslav Bolyukin <iam@lach.pw>
Date: Sun, 28 Aug 2022 11:56:11 +0000
Subject: [PATCH] refactor: new secrets structure


---
--- a/cmds/install-secrets/src/main.rs
+++ b/cmds/install-secrets/src/main.rs
@@ -24,12 +24,18 @@
 }
 
 #[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
 struct DataItem {
 	group: String,
 	mode: String,
 	owner: String,
+
 	#[serde(deserialize_with = "from_z85")]
 	secret: Option<Vec<u8>>,
+	public: String,
+
+	secret_hash: String,
+	public_path: String,
 }
 
 fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -5,9 +5,15 @@
 let
   sysConfig = config;
   secretType = types.submodule ({ config, ... }: {
-    config = {
-      path = mkOptionDefault "/run/secrets/${config._module.args.name}";
-      publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);
+    config = rec {
+      path = warn "use .stableSecretPath instead of .path (at config.secrets.${config._module.args.name})" stableSecretPath;
+      stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";
+      secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";
+      secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");
+
+      stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";
+      publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";
+      publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");
     };
     options = {
       public = mkOption {
@@ -36,12 +42,40 @@
         default = sysConfig.users.users.${config.owner}.group;
       };
 
+      secretHash = mkOption {
+        type = types.str;
+        description = "Hash of .secret field";
+      };
+      publicHash = mkOption {
+        type = types.str;
+        description = "Hash of .public field";
+      };
+
       path = mkOption {
         type = types.str;
         description = "Path to the decrypted secret";
       };
+      stableSecretPath = mkOption {
+        type = types.str;
+        description = """
+          Use this, if target process supports re-reading of secret from disk,
+          and doesn't needs to be restarted when secret is updated in file
+        """;
+      };
+      secretPath = mkOption {
+        type = types.str;
+        description = "Path to decrypted secret, suffixed with contents hash";
+      };
+
+      stablePublicPath = mkOption {
+        type = types.str;
+        description = """
+          Use this, if target process supports re-reading of secret from disk,
+          and doesn't needs to be restarted when secret is updated in file
+        """;
+      };
       publicPath = mkOption {
-        type = types.package;
+        type = types.str;
         description = "Path to the public part of secret";
       };
     };

-- 
gitstuff