blob: 62301079e4a8c201184331d70d31858c5c2cf337 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
{ config, lib, ... }:
let
inherit (builtins)
attrNames baseNameOf head match pathExists readFile toString ;
inherit (lib)
foldl genAttrs mapAttrsToList mkOption optionalAttrs types ;
inherit (types)
attrsOf listOf nullOr path ;
allusers = config.users.users;
cfg = config.nixsap.deployment;
# XXX If the file is encrypted:
# error: the contents of the file ‘...’ cannot be represented as a Nix string
read = key:
let
m = match "^([^(]*)\\[.+\\]$" key;
s = if m != null then head m else key;
in if cfg.secrets != null
then readFile (cfg.secrets + "/${s}")
else "";
in {
options.nixsap.deployment = {
secrets = mkOption {
description = ''
Directory with the secrets. If not specified,
each key will be an empty file.
'';
type = nullOr path;
default = null;
example = "<secrets>";
};
keyrings = mkOption {
type = attrsOf (listOf path);
description = ''
Binds keys to a user. It's possible to share the same key between
multiple users, of course by different names: "/run/keys/foo" and
"/run/keys/foo[bar]" will use the same secret file "foo".
'';
default = {};
example = { mysqlbackup = [ "/run/keys/s3cmd.cfg" ];
pgbackup = [ "/run/keys/s3cmd.cfg[pgbackup]" ];
};
};
};
config = {
users.users = genAttrs (attrNames cfg.keyrings) (
name: optionalAttrs (name != "root") { extraGroups = [ "keys" ]; }
);
deployment.keys = foldl (a: b: a//b) {} (
mapAttrsToList (name: keys:
genAttrs (map baseNameOf keys)
(key: { text = read key;
user = toString allusers.${name}.uid;
})
) cfg.keyrings
);
};
}
|
