git.delta.rocks / jrsonnet / refs/commits / ebcabdbbc529

difftreelog

refactor new secrets structure

Yaroslav Bolyukin2022-08-28parent: #aeb19ed.patch.diff
in: trunk

2 files changed

modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
--- a/cmds/install-secrets/src/main.rs
+++ b/cmds/install-secrets/src/main.rs
@@ -24,12 +24,18 @@
 }
 
 #[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
 struct DataItem {
 	group: String,
 	mode: String,
 	owner: String,
+
 	#[serde(deserialize_with = "from_z85")]
 	secret: Option<Vec<u8>>,
+	public: String,
+
+	secret_hash: String,
+	public_path: String,
 }
 
 fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
modifiednixos/secrets.nixdiffbeforeafterboth
before · nixos/secrets.nix
1{ lib, config, pkgs, ... }:23with lib;45let6  sysConfig = config;7  secretType = types.submodule ({ config, ... }: {8    config = {9      path = mkOptionDefault "/run/secrets/${config._module.args.name}";10      publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);11    };12    options = {13      public = mkOption {14        type = types.nullOr types.str;15        description = "Secret public data";16        default = null;17      };18      secret = mkOption {19        type = types.nullOr types.str;20        description = "Encrypted secret data";21        default = null;22      };23      mode = mkOption {24        type = types.str;25        description = "Secret mode";26        default = "0440";27      };28      owner = mkOption {29        type = types.str;30        description = "Owner of the secret";31        default = "root";32      };33      group = mkOption {34        type = types.str;35        description = "Group of the secret";36        default = sysConfig.users.users.${config.owner}.group;37      };3839      path = mkOption {40        type = types.str;41        description = "Path to the decrypted secret";42      };43      publicPath = mkOption {44        type = types.package;45        description = "Path to the public part of secret";46      };47    };48  });49  secretsFile = pkgs.writeTextFile {50    name = "secrets.json";51    text = builtins.toJSON config.secrets;52  };53in54{55  options = {56    secrets = mkOption {57      type = types.attrsOf secretType;58      default = { };59      description = "Host-local secrets";60    };61  };62  config = {63    system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''64      1>&2 echo "setting up secrets"65      ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}66    '';67  };68}
after · nixos/secrets.nix
1{ lib, config, pkgs, ... }:23with lib;45let6  sysConfig = config;7  secretType = types.submodule ({ config, ... }: {8    config = rec {9      path = warn "use .stableSecretPath instead of .path (at config.secrets.${config._module.args.name})" stableSecretPath;10      stableSecretPath = mkOptionDefault "/run/secrets/secret-stable-${config._module.args.name}";11      secretPath = mkOptionDefault "/run/secrets/secret-${config.secretHash}-${config._module.args.name}";12      secretHash = mkOptionDefault (if config.secret != null then (builtins.hashString "sha1" config.secret) else "<missingno>");1314      stablePublicPath = mkOptionDefault "/run/secrets/public-stable-${config._module.args.name}";15      publicPath = mkOptionDefault "/run/secrets/public-${config.publicHash}-${config._module.args.name}";16      publicHash = mkOptionDefault (if config.public != null then (builtins.hashString "sha1" config.public) else "<missingno>");17    };18    options = {19      public = mkOption {20        type = types.nullOr types.str;21        description = "Secret public data";22        default = null;23      };24      secret = mkOption {25        type = types.nullOr types.str;26        description = "Encrypted secret data";27        default = null;28      };29      mode = mkOption {30        type = types.str;31        description = "Secret mode";32        default = "0440";33      };34      owner = mkOption {35        type = types.str;36        description = "Owner of the secret";37        default = "root";38      };39      group = mkOption {40        type = types.str;41        description = "Group of the secret";42        default = sysConfig.users.users.${config.owner}.group;43      };4445      secretHash = mkOption {46        type = types.str;47        description = "Hash of .secret field";48      };49      publicHash = mkOption {50        type = types.str;51        description = "Hash of .public field";52      };5354      path = mkOption {55        type = types.str;56        description = "Path to the decrypted secret";57      };58      stableSecretPath = mkOption {59        type = types.str;60        description = """61          Use this, if target process supports re-reading of secret from disk,62          and doesn't needs to be restarted when secret is updated in file63        """;64      };65      secretPath = mkOption {66        type = types.str;67        description = "Path to decrypted secret, suffixed with contents hash";68      };6970      stablePublicPath = mkOption {71        type = types.str;72        description = """73          Use this, if target process supports re-reading of secret from disk,74          and doesn't needs to be restarted when secret is updated in file75        """;76      };77      publicPath = mkOption {78        type = types.str;79        description = "Path to the public part of secret";80      };81    };82  });83  secretsFile = pkgs.writeTextFile {84    name = "secrets.json";85    text = builtins.toJSON config.secrets;86  };87in88{89  options = {90    secrets = mkOption {91      type = types.attrsOf secretType;92      default = { };93      description = "Host-local secrets";94    };95  };96  config = {97    system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''98      1>&2 echo "setting up secrets"99      ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}100    '';101  };102}