git.delta.rocks / jrsonnet / refs/commits / ebcabdbbc529

difftreelog

refactor new secrets structure

Yaroslav Bolyukin2022-08-28parent: #aeb19ed.patch.diff
in: trunk

2 files changed

modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
24}24}
2525
26#[derive(Deserialize)]26#[derive(Deserialize)]
27#[serde(rename_all = "camelCase")]
27struct DataItem {28struct DataItem {
28	group: String,29	group: String,
29	mode: String,30	mode: String,
30	owner: String,31	owner: String,
32
31	#[serde(deserialize_with = "from_z85")]33	#[serde(deserialize_with = "from_z85")]
32	secret: Option<Vec<u8>>,34	secret: Option<Vec<u8>>,
35	public: String,
36
37	secret_hash: String,
38	public_path: String,
33}39}
3440
35fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>41fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
modifiednixos/secrets.nixdiffbeforeafterboth
5let5let
6  sysConfig = config;6  sysConfig = config;
7  secretType = types.submodule ({ config, ... }: {7  secretType = types.submodule ({ config, ... }: {
8    config = {8    config = rec {
9      path = warn "use .stableSecretPath instead of .path (at config.secrets.${config._module.args.name})" stableSecretPath;
9      path = mkOptionDefault "/run/secrets/${config._module.args.name}";10      stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";
11      secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";
12      secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");
13
14      stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";
10      publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);15      publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";
16      publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");
11    };17    };
12    options = {18    options = {
13      public = mkOption {19      public = mkOption {
36        default = sysConfig.users.users.${config.owner}.group;42        default = sysConfig.users.users.${config.owner}.group;
37      };43      };
44
45      secretHash = mkOption {
46        type = types.str;
47        description = "Hash of .secret field";
48      };
49      publicHash = mkOption {
50        type = types.str;
51        description = "Hash of .public field";
52      };
3853
39      path = mkOption {54      path = mkOption {
40        type = types.str;55        type = types.str;
41        description = "Path to the decrypted secret";56        description = "Path to the decrypted secret";
42      };57      };
58      stableSecretPath = mkOption {
59        type = types.str;
60        description = """
61          Use this, if target process supports re-reading of secret from disk,
62          and doesn't needs to be restarted when secret is updated in file
63        """;
64      };
65      secretPath = mkOption {
66        type = types.str;
67        description = "Path to decrypted secret, suffixed with contents hash";
68      };
69
70      stablePublicPath = mkOption {
71        type = types.str;
72        description = """
73          Use this, if target process supports re-reading of secret from disk,
74          and doesn't needs to be restarted when secret is updated in file
75        """;
76      };
43      publicPath = mkOption {77      publicPath = mkOption {
44        type = types.package;78        type = types.str;
45        description = "Path to the public part of secret";79        description = "Path to the public part of secret";
46      };80      };
47    };81    };