summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/secret.nix
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-02-22 14:35:59 +0100
committermakefu <github@syntax-fehler.de>2016-02-22 14:35:59 +0100
commitb25d15573ab10a4b2dd55e46291fbab6adf70162 (patch)
tree1036547a8003c5767565d53d748d83d3614271b6 /krebs/3modules/secret.nix
parent5b7039f1f11e7cf2da6f3735cc7d99322a31c7a5 (diff)
parent8393444dce1888d369955e46dd16983a43762bb9 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules/secret.nix')
-rw-r--r--krebs/3modules/secret.nix39
1 files changed, 39 insertions, 0 deletions
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
new file mode 100644
index 000000000..579f375f3
--- /dev/null
+++ b/krebs/3modules/secret.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+ cfg = config.krebs.secret;
+in {
+ options.krebs.secret = {
+ files = mkOption {
+ type = with types; attrsOf secret-file;
+ default = {};
+ };
+ };
+ config = lib.mkIf (cfg.files != {}) {
+ systemd.services.secret = let
+ # TODO fail if two files have the same path but differ otherwise
+ files = unique (map (flip removeAttrs ["_module"])
+ (attrValues cfg.files));
+ in {
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = "yes";
+ SyslogIdentifier = "secret";
+ ExecStart = pkgs.writeDash "install-secret-files" ''
+ exit_code=0
+ ${concatMapStringsSep "\n" (file: ''
+ ${pkgs.coreutils}/bin/install \
+ -D \
+ --compare \
+ --verbose \
+ --mode=${shell.escape file.mode} \
+ --owner=${shell.escape file.owner.name} \
+ --group=${shell.escape file.group-name} \
+ ${shell.escape file.source-path} \
+ ${shell.escape file.path} \
+ || exit_code=1
+ '') files}
+ exit $exit_code
+ '';
+ };
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-19 05:11:14 +0000