From 62f28d30a069135f9c48678507203958adfc334f Mon Sep 17 00:00:00 2001
From: Igor Pashev <pashev.igor@gmail.com>
Date: Thu, 29 Sep 2016 13:51:44 +0300
Subject: Moved everything into ./modules

---
 modules/deployment/default.nix  | 11 +++++++
 modules/deployment/keyrings.nix | 64 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 modules/deployment/default.nix
 create mode 100644 modules/deployment/keyrings.nix

(limited to 'modules/deployment')

diff --git a/modules/deployment/default.nix b/modules/deployment/default.nix
new file mode 100644
index 0000000..240d970
--- /dev/null
+++ b/modules/deployment/default.nix
@@ -0,0 +1,11 @@
+{lib, ... }:
+
+let
+  all = lib.filterAttrs
+    ( n: _: n != "default.nix" && ! lib.hasPrefix "." n )
+    (builtins.readDir ./.);
+
+in {
+  imports = map (p: ./. + "/${p}") ( builtins.attrNames all );
+}
+
diff --git a/modules/deployment/keyrings.nix b/modules/deployment/keyrings.nix
new file mode 100644
index 0000000..6230107
--- /dev/null
+++ b/modules/deployment/keyrings.nix
@@ -0,0 +1,64 @@
+{ config, lib, ... }:
+ 
+let
+
+  inherit (builtins)
+    attrNames baseNameOf head match pathExists readFile toString ;
+  inherit (lib)
+    foldl genAttrs mapAttrsToList mkOption optionalAttrs types ;
+  inherit (types)
+    attrsOf listOf nullOr path ;
+
+  allusers = config.users.users;
+  cfg = config.nixsap.deployment;
+
+  # XXX If the file is encrypted:
+  #     error: the contents of the file ‘...’ cannot be represented as a Nix string
+  read = key:
+    let
+      m = match "^([^(]*)\\[.+\\]$" key;
+      s = if m != null then head m else key;
+    in if cfg.secrets != null
+      then readFile (cfg.secrets + "/${s}")
+      else "";
+
+in {
+  options.nixsap.deployment = {
+    secrets = mkOption {
+      description = ''
+        Directory with the secrets. If not specified,
+        each key will be an empty file.
+        '';
+      type = nullOr path;
+      default = null;
+      example = "<secrets>";
+    };
+    keyrings = mkOption {
+      type = attrsOf (listOf path);
+      description = ''
+        Binds keys to a user. It's possible to share the same key between
+        multiple users, of course by different names: "/run/keys/foo" and
+        "/run/keys/foo[bar]" will use the same secret file "foo".
+      '';
+      default = {};
+      example = { mysqlbackup = [ "/run/keys/s3cmd.cfg" ];
+                  pgbackup = [ "/run/keys/s3cmd.cfg[pgbackup]" ];
+                };
+    };
+  };
+
+  config = {
+    users.users = genAttrs (attrNames cfg.keyrings) (
+      name: optionalAttrs (name != "root") { extraGroups = [ "keys" ]; }
+    );
+
+    deployment.keys = foldl (a: b: a//b) {} (
+      mapAttrsToList (name: keys:
+        genAttrs (map baseNameOf keys)
+                 (key: { text = read key;
+                         user = toString allusers.${name}.uid;
+                       })
+      ) cfg.keyrings
+    );
+  };
+}
-- 
cgit v1.2.3