modules/age: /run/secrets -> /run/agenix

This commit is contained in:
Cole Helbling 2021-11-08 09:50:20 -08:00
parent 111754b894
commit e538664435
2 changed files with 12 additions and 13 deletions

View file

@ -177,7 +177,7 @@ but, if you want to (change the system based on your system):
``` ```
6. NixOS rebuild or use your deployment tool like usual. 6. NixOS rebuild or use your deployment tool like usual.
The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/secrets/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix). The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/agenix/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix).
## Rekeying ## Rekeying

View file

@ -28,7 +28,7 @@ let
chmod ${secretType.mode} "$TMP_FILE" chmod ${secretType.mode} "$TMP_FILE"
chown ${secretType.owner}:${secretType.group} "$TMP_FILE" chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath" mv -f "$TMP_FILE" "$_truePath"
[ "${secretType.path}" != "/run/secrets/${secretType.name}" ] && ln -sfn "/run/secrets/${secretType.name}" "${secretType.path}" [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
''; '';
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0"); isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
@ -46,7 +46,7 @@ let
type = types.str; type = types.str;
default = config._module.args.name; default = config._module.args.name;
description = '' description = ''
Name of the file used in /run/secrets Name of the file used in /run/agenix
''; '';
}; };
file = mkOption { file = mkOption {
@ -57,7 +57,7 @@ let
}; };
path = mkOption { path = mkOption {
type = types.str; type = types.str;
default = "/run/secrets/${config.name}"; default = "/run/agenix/${config.name}";
description = '' description = ''
Path where the decrypted secret is installed. Path where the decrypted secret is installed.
''; '';
@ -101,9 +101,9 @@ in
(builtins.match "[ \t\n]*" s) == null # non-empty (builtins.match "[ \t\n]*" s) == null # non-empty
&& (builtins.match ".+/" s) == null) # without trailing slash && (builtins.match ".+/" s) == null) # without trailing slash
// { description = "${types.str.description} (with check: non-empty without trailing slash)"; }; // { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
default = "/run/secrets.d"; default = "/run/agenix.d";
description = '' description = ''
Where secrets are created before they are symlinked to /run/secrets Where secrets are created before they are symlinked to /run/agenix
''; '';
}; };
sshKeyPaths = mkOption { sshKeyPaths = mkOption {
@ -128,16 +128,15 @@ in
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixMountSecrets = '' system.activationScripts.agenixMountSecrets = ''
_count="$(basename "$(readlink /run/secrets)" || echo 0)" _agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
(( ++_count )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to /run/secrets (generation $_count)..." echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
mkdir -p "${cfg.secretsMountPoint}" mkdir -p "${cfg.secretsMountPoint}"
chmod 0750 "${cfg.secretsMountPoint}" chmod 0750 "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0750 grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0750
mkdir -p "${cfg.secretsMountPoint}/$_count" mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0750 "${cfg.secretsMountPoint}/$_count" chmod 0750 "${cfg.secretsMountPoint}/$_agenix_generation"
chown :keys "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_count" ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix
ln -sfn "${cfg.secretsMountPoint}/$_count" /run/secrets
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."