git.delta.rocks / jrsonnet / refs/commits / ebcabdbbc529

difftreelog

refactor new secrets structure

Yaroslav Bolyukin2022-08-28parent: #aeb19ed.patch.diff
in: trunk

2 files changed

modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
24}24}
2525
26#[derive(Deserialize)]26#[derive(Deserialize)]
27#[serde(rename_all = "camelCase")]
27struct DataItem {28struct DataItem {
28	group: String,29	group: String,
29	mode: String,30	mode: String,
30	owner: String,31	owner: String,
32
31	#[serde(deserialize_with = "from_z85")]33	#[serde(deserialize_with = "from_z85")]
32	secret: Option<Vec<u8>>,34	secret: Option<Vec<u8>>,
35	public: String,
36
37	secret_hash: String,
38	public_path: String,
33}39}
3440
35fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>41fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
modifiednixos/secrets.nixdiffbeforeafterboth
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -5,9 +5,15 @@
 let
   sysConfig = config;
   secretType = types.submodule ({ config, ... }: {
-    config = {
-      path = mkOptionDefault "/run/secrets/${config._module.args.name}";
-      publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);
+    config = rec {
+      path = warn "use .stableSecretPath instead of .path (at config.secrets.${config._module.args.name})" stableSecretPath;
+      stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";
+      secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";
+      secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");
+
+      stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";
+      publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";
+      publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");
     };
     options = {
       public = mkOption {
@@ -36,12 +42,40 @@
         default = sysConfig.users.users.${config.owner}.group;
       };
 
+      secretHash = mkOption {
+        type = types.str;
+        description = "Hash of .secret field";
+      };
+      publicHash = mkOption {
+        type = types.str;
+        description = "Hash of .public field";
+      };
+
       path = mkOption {
         type = types.str;
         description = "Path to the decrypted secret";
       };
+      stableSecretPath = mkOption {
+        type = types.str;
+        description = """
+          Use this, if target process supports re-reading of secret from disk,
+          and doesn't needs to be restarted when secret is updated in file
+        """;
+      };
+      secretPath = mkOption {
+        type = types.str;
+        description = "Path to decrypted secret, suffixed with contents hash";
+      };
+
+      stablePublicPath = mkOption {
+        type = types.str;
+        description = """
+          Use this, if target process supports re-reading of secret from disk,
+          and doesn't needs to be restarted when secret is updated in file
+        """;
+      };
       publicPath = mkOption {
-        type = types.package;
+        type = types.str;
         description = "Path to the public part of secret";
       };
     };