git.delta.rocks / jrsonnet / refs/commits / ebcabdbbc529

difftreelog

refactor new secrets structure

Yaroslav Bolyukin2022-08-28parent: #aeb19ed.patch.diff
in: trunk

2 files changed

modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
--- a/cmds/install-secrets/src/main.rs
+++ b/cmds/install-secrets/src/main.rs
@@ -24,12 +24,18 @@
 }
 
 #[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
 struct DataItem {
 	group: String,
 	mode: String,
 	owner: String,
+
 	#[serde(deserialize_with = "from_z85")]
 	secret: Option<Vec<u8>>,
+	public: String,
+
+	secret_hash: String,
+	public_path: String,
 }
 
 fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
modifiednixos/secrets.nixdiffbeforeafterboth
before · nixos/secrets.nix
1{ lib, config, pkgs, ... }:23with lib;45let6  sysConfig = config;7  secretType = types.submodule ({ config, ... }: {8    config = {9      path = mkOptionDefault "/run/secrets/${config._module.args.name}";10      publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);11    };12    options = {13      public = mkOption {14        type = types.nullOr types.str;15        description = "Secret public data";16        default = null;17      };18      secret = mkOption {19        type = types.nullOr types.str;20        description = "Encrypted secret data";21        default = null;22      };23      mode = mkOption {24        type = types.str;25        description = "Secret mode";26        default = "0440";27      };28      owner = mkOption {29        type = types.str;30        description = "Owner of the secret";31        default = "root";32      };33      group = mkOption {34        type = types.str;35        description = "Group of the secret";36        default = sysConfig.users.users.${config.owner}.group;37      };3839      path = mkOption {40        type = types.str;41        description = "Path to the decrypted secret";42      };43      publicPath = mkOption {44        type = types.package;45        description = "Path to the public part of secret";46      };47    };48  });49  secretsFile = pkgs.writeTextFile {50    name = "secrets.json";51    text = builtins.toJSON config.secrets;52  };53in54{55  options = {56    secrets = mkOption {57      type = types.attrsOf secretType;58      default = { };59      description = "Host-local secrets";60    };61  };62  config = {63    system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''64      1>&2 echo "setting up secrets"65      ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}66    '';67  };68}