mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 09:40:47 +03:00
Code Issues Projects Releases Packages Wiki Activity

modules/age: add option for secrets directory

Browse source
This commit is contained in:
Parthiv Seetharaman 2022-02-21 15:05:42 -08:00
parent a17d1f3055
commit 85bd9d01ad
1 changed files with 16 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
modules/age.nix
View file

@ -24,7 +24,7 @@ let
echo "decrypting '${secretType.file}' to '$_truePath'..." echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp" TMP_FILE="$_truePath.tmp"
mkdir -p "$(dirname "$_truePath")" mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")" [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
( (
umask u=r,g=,o= umask u=r,g=,o=
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}" LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
@ -34,7 +34,7 @@ let
mv -f "$TMP_FILE" "$_truePath" mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink '' ${optionalString secretType.symlink ''
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}" [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''} ''}
''; '';
@ -53,7 +53,7 @@ let
type = types.str; type = types.str;
default = config._module.args.name; default = config._module.args.name;
description = '' description = ''
Name of the file used in /run/agenix Name of the file used in ''${cfg.secretsDir}
''; '';
}; };
file = mkOption { file = mkOption {
@ -64,7 +64,7 @@ let
}; };
path = mkOption { path = mkOption {
type = types.str; type = types.str;
default = "/run/agenix/${config.name}"; default = "${cfg.secretsDir}/${config.name}";
description = '' description = ''
Path where the decrypted secret is installed. Path where the decrypted secret is installed.
''; '';
@ -115,6 +115,13 @@ in
Attrset of secrets. Attrset of secrets.
''; '';
}; };
secretsDir = mkOption {
type = types.path;
default = "/run/agenix";
description = ''
Folder where secrets are symlinked to
'';
};
secretsMountPoint = mkOption { secretsMountPoint = mkOption {
type = types.addCheck types.str type = types.addCheck types.str
(s: (s:
@ -122,8 +129,9 @@ in
&& (builtins.match ".+/" s) == null) # without trailing slash && (builtins.match ".+/" s) == null) # without trailing slash
// { description = "${types.str.description} (with check: non-empty without trailing slash)"; }; // { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
default = "/run/agenix.d"; default = "/run/agenix.d";
defaultText = "/run/agenix.d";
description = '' description = ''
Where secrets are created before they are symlinked to /run/agenix Where secrets are created before they are symlinked to ''${cfg.secretsDir}
''; '';
}; };
identityPaths = mkOption { identityPaths = mkOption {
@ -149,15 +157,15 @@ in
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixMountSecrets = { system.activationScripts.agenixMountSecrets = {
text = '' text = ''
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)" _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..." echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
mkdir -p "${cfg.secretsMountPoint}" mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}" chmod 0751 "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751 grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation" mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation" chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."