diff options
author | tv <tv@krebsco.de> | 2016-02-21 05:27:37 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-02-21 05:27:37 +0100 |
commit | b5fbca3a365b1188c1274e3288ba39a88ecad2e3 (patch) | |
tree | 4f4e631b9ddf17e8092a12392fac7cc53e238096 /krebs/3modules | |
parent | d8d39f5c4a9925f2098e58dc80e36920ece6ac71 (diff) |
krebs.secret: init
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/secret.nix | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index c06f3754e..df1c7db63 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./realwallpaper.nix ./retiolum-bootstrap.nix ./retiolum.nix + ./secret.nix ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix new file mode 100644 index 000000000..46802a661 --- /dev/null +++ b/krebs/3modules/secret.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + cfg = config.krebs.secret; +in { + options.krebs.secret = { + files = mkOption { + type = with types; attrsOf secret-file; + default = {}; + }; + }; + config = lib.mkIf (cfg.files != {}) { + systemd.services.secret = let + # TODO fail if two files have the same path but differ otherwise + files = unique (map (flip removeAttrs ["_module"]) + (attrValues cfg.files)); + in { + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + SyslogIdentifier = "secret"; + ExecStart = pkgs.writeDash "install-secret-files" '' + exit_code=0 + ${concatMapStringsSep "\n" (file: '' + ${pkgs.coreutils}/bin/install \ + -D \ + --compare \ + --verbose \ + --mode=${shell.escape file.mode} \ + --owner=${shell.escape file.owner-name} \ + --group=${shell.escape file.group-name} \ + ${shell.escape file.source-path} \ + ${shell.escape file.path} \ + || exit_code=1 + '') files} + exit $exit_code + ''; + }; + }; + }; +} |