From b5fbca3a365b1188c1274e3288ba39a88ecad2e3 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 05:27:37 +0100 Subject: krebs.secret: init --- krebs/3modules/secret.nix | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 krebs/3modules/secret.nix (limited to 'krebs/3modules/secret.nix') diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix new file mode 100644 index 000000000..46802a661 --- /dev/null +++ b/krebs/3modules/secret.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + cfg = config.krebs.secret; +in { + options.krebs.secret = { + files = mkOption { + type = with types; attrsOf secret-file; + default = {}; + }; + }; + config = lib.mkIf (cfg.files != {}) { + systemd.services.secret = let + # TODO fail if two files have the same path but differ otherwise + files = unique (map (flip removeAttrs ["_module"]) + (attrValues cfg.files)); + in { + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + SyslogIdentifier = "secret"; + ExecStart = pkgs.writeDash "install-secret-files" '' + exit_code=0 + ${concatMapStringsSep "\n" (file: '' + ${pkgs.coreutils}/bin/install \ + -D \ + --compare \ + --verbose \ + --mode=${shell.escape file.mode} \ + --owner=${shell.escape file.owner-name} \ + --group=${shell.escape file.group-name} \ + ${shell.escape file.source-path} \ + ${shell.escape file.path} \ + || exit_code=1 + '') files} + exit $exit_code + ''; + }; + }; + }; +} -- cgit v1.2.3 From e3ddf995e92985ee14dab5735ac55045c166aaaf Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 07:18:13 +0100 Subject: krebs types.secret-file: owner-name -> owner :: user --- krebs/3modules/secret.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules/secret.nix') diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 46802a661..579f375f3 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -25,7 +25,7 @@ in { --compare \ --verbose \ --mode=${shell.escape file.mode} \ - --owner=${shell.escape file.owner-name} \ + --owner=${shell.escape file.owner.name} \ --group=${shell.escape file.group-name} \ ${shell.escape file.source-path} \ ${shell.escape file.path} \ -- cgit v1.2.3