summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/secret.nix
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules/secret.nix')
-rw-r--r--krebs/3modules/secret.nix39
1 files changed, 39 insertions, 0 deletions
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
new file mode 100644
index 000000000..46802a661
--- /dev/null
+++ b/krebs/3modules/secret.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+ cfg = config.krebs.secret;
+in {
+ options.krebs.secret = {
+ files = mkOption {
+ type = with types; attrsOf secret-file;
+ default = {};
+ };
+ };
+ config = lib.mkIf (cfg.files != {}) {
+ systemd.services.secret = let
+ # TODO fail if two files have the same path but differ otherwise
+ files = unique (map (flip removeAttrs ["_module"])
+ (attrValues cfg.files));
+ in {
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = "yes";
+ SyslogIdentifier = "secret";
+ ExecStart = pkgs.writeDash "install-secret-files" ''
+ exit_code=0
+ ${concatMapStringsSep "\n" (file: ''
+ ${pkgs.coreutils}/bin/install \
+ -D \
+ --compare \
+ --verbose \
+ --mode=${shell.escape file.mode} \
+ --owner=${shell.escape file.owner-name} \
+ --group=${shell.escape file.group-name} \
+ ${shell.escape file.source-path} \
+ ${shell.escape file.path} \
+ || exit_code=1
+ '') files}
+ exit $exit_code
+ '';
+ };
+ };
+ };
+}