mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-22 09:40:47 +03:00
modules/age: /run/secrets -> /run/agenix
This commit is contained in:
parent
111754b894
commit
e538664435
2 changed files with 12 additions and 13 deletions
|
@ -177,7 +177,7 @@ but, if you want to (change the system based on your system):
|
||||||
```
|
```
|
||||||
6. NixOS rebuild or use your deployment tool like usual.
|
6. NixOS rebuild or use your deployment tool like usual.
|
||||||
|
|
||||||
The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/secrets/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix).
|
The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/agenix/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix).
|
||||||
|
|
||||||
## Rekeying
|
## Rekeying
|
||||||
|
|
||||||
|
|
|
@ -28,7 +28,7 @@ let
|
||||||
chmod ${secretType.mode} "$TMP_FILE"
|
chmod ${secretType.mode} "$TMP_FILE"
|
||||||
chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
|
chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
|
||||||
mv -f "$TMP_FILE" "$_truePath"
|
mv -f "$TMP_FILE" "$_truePath"
|
||||||
[ "${secretType.path}" != "/run/secrets/${secretType.name}" ] && ln -sfn "/run/secrets/${secretType.name}" "${secretType.path}"
|
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
|
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
|
||||||
|
@ -46,7 +46,7 @@ let
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = config._module.args.name;
|
default = config._module.args.name;
|
||||||
description = ''
|
description = ''
|
||||||
Name of the file used in /run/secrets
|
Name of the file used in /run/agenix
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
file = mkOption {
|
file = mkOption {
|
||||||
|
@ -57,7 +57,7 @@ let
|
||||||
};
|
};
|
||||||
path = mkOption {
|
path = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/run/secrets/${config.name}";
|
default = "/run/agenix/${config.name}";
|
||||||
description = ''
|
description = ''
|
||||||
Path where the decrypted secret is installed.
|
Path where the decrypted secret is installed.
|
||||||
'';
|
'';
|
||||||
|
@ -101,9 +101,9 @@ in
|
||||||
(builtins.match "[ \t\n]*" s) == null # non-empty
|
(builtins.match "[ \t\n]*" s) == null # non-empty
|
||||||
&& (builtins.match ".+/" s) == null) # without trailing slash
|
&& (builtins.match ".+/" s) == null) # without trailing slash
|
||||||
// { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
|
// { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
|
||||||
default = "/run/secrets.d";
|
default = "/run/agenix.d";
|
||||||
description = ''
|
description = ''
|
||||||
Where secrets are created before they are symlinked to /run/secrets
|
Where secrets are created before they are symlinked to /run/agenix
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sshKeyPaths = mkOption {
|
sshKeyPaths = mkOption {
|
||||||
|
@ -128,16 +128,15 @@ in
|
||||||
# ensure removed secrets are actually removed, or at least become
|
# ensure removed secrets are actually removed, or at least become
|
||||||
# invalid symlinks).
|
# invalid symlinks).
|
||||||
system.activationScripts.agenixMountSecrets = ''
|
system.activationScripts.agenixMountSecrets = ''
|
||||||
_count="$(basename "$(readlink /run/secrets)" || echo 0)"
|
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
|
||||||
(( ++_count ))
|
(( ++_agenix_generation ))
|
||||||
echo "[agenix] symlinking new secrets to /run/secrets (generation $_count)..."
|
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
|
||||||
mkdir -p "${cfg.secretsMountPoint}"
|
mkdir -p "${cfg.secretsMountPoint}"
|
||||||
chmod 0750 "${cfg.secretsMountPoint}"
|
chmod 0750 "${cfg.secretsMountPoint}"
|
||||||
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0750
|
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0750
|
||||||
mkdir -p "${cfg.secretsMountPoint}/$_count"
|
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||||
chmod 0750 "${cfg.secretsMountPoint}/$_count"
|
chmod 0750 "${cfg.secretsMountPoint}/$_agenix_generation"
|
||||||
chown :keys "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_count"
|
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix
|
||||||
ln -sfn "${cfg.secretsMountPoint}/$_count" /run/secrets
|
|
||||||
|
|
||||||
(( _agenix_generation > 1 )) && {
|
(( _agenix_generation > 1 )) && {
|
||||||
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
|
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
|
||||||
|
|
Loading…
Reference in a new issue