blob: 6665216b5dfd67c3110d193fb45090c50bb83101 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
{ config, pkgs, lib, ... }:
let
types = lib.types;
cfg = config.localsecrets;
keyOpts = {name, ...}: {
options = {
generator = lib.mkOption {
type = types.either types.str types.path;
default = "";
};
privateDir = lib.mkOption {
type = types.str;
default = "/var/lib/${cfg.stateDir}/private/${name}";
};
publicDir = lib.mkOption {
type = types.str;
default = "/var/lib/${cfg.stateDir}/public/${name}";
};
mode = lib.mkOption {
type = types.str;
default = "0700";
};
user = lib.mkOption {
type = types.str;
default = "root";
};
group = lib.mkOption {
type = types.str;
default = "root";
};
};
};
in
{
options = {
localsecrets = {
enable = lib.mkEnableOption "Deploy localsecrets";
stateDir = lib.mkOption {
type = types.str;
default = "localsecrets";
};
secrets = lib.mkOption {
type = types.attrsOf (types.submodule keyOpts);
default = [];
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.localsecrets-generate = {
description = "Generate local secrets";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
StateDirectory = cfg.stateDir;
};
script = ''
umask 0022
mkdir -p $STATE_DIRECTORY/private
mkdir -p $STATE_DIRECTORY/public
'' + (lib.concatStringsSep "\n" (lib.mapAttrsToList
(name: secret:
let
runtimeDirectory="secret-${name}";
in ''
systemd-run \
--wait \
-p DynamicUser=true \
-p RuntimeDirectory=${runtimeDirectory} \
-p RuntimeDirectoryMode=${secret.mode} \
-p RuntimeDirectoryPreserve=true \
-p WorkingDirectory=/run/${runtimeDirectory} \
-p PrivateTmp=true \
${pkgs.bash}/bin/bash -c '${secret.generator}'
rm -rf "${secret.privateDir}" || true
chown "${secret.user}:${secret.group}" "/run/${runtimeDirectory}/private"
chmod "${secret.mode}" "/run/${runtimeDirectory}/private"
mv "/run/${runtimeDirectory}/private" "${secret.privateDir}"
rm -rf "${secret.publicDir}" || true
mv "/run/${runtimeDirectory}/public" "${secret.publicDir}"
'') cfg.secrets));
};
};
}
|