modules: secrets: add 'owner' logic
This commit is contained in:
parent
5f41bb1647
commit
30eaefc1d1
|
@ -6,7 +6,6 @@
|
||||||
./boot.nix
|
./boot.nix
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./secrets.nix
|
|
||||||
./services.nix
|
./services.nix
|
||||||
./users.nix
|
./users.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
# Secrets configuration
|
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
config.age.secrets = {
|
|
||||||
# Must be readable by the service
|
|
||||||
"nextcloud/password".owner = "nextcloud";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ inputs, lib, options, ... }:
|
{ config, inputs, lib, options, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -9,9 +9,12 @@
|
||||||
secrets =
|
secrets =
|
||||||
let
|
let
|
||||||
toName = lib.removeSuffix ".age";
|
toName = lib.removeSuffix ".age";
|
||||||
toSecret = name: _: {
|
userExists = u: builtins.hasAttr u config.users.users;
|
||||||
|
# Only set the user if it exists, to avoid warnings
|
||||||
|
userIfExists = u: if userExists u then u else "root";
|
||||||
|
toSecret = name: { owner ? "root", ... }: {
|
||||||
file = ./. + "/${name}";
|
file = ./. + "/${name}";
|
||||||
owner = lib.mkDefault "root";
|
owner = lib.mkDefault (userIfExists owner);
|
||||||
};
|
};
|
||||||
convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
|
convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
|
||||||
secrets = import ./secrets.nix;
|
secrets = import ./secrets.nix;
|
||||||
|
|
|
@ -27,7 +27,11 @@ in
|
||||||
|
|
||||||
"monitoring/password.age".publicKeys = all;
|
"monitoring/password.age".publicKeys = all;
|
||||||
|
|
||||||
"nextcloud/password.age".publicKeys = all;
|
"nextcloud/password.age" = {
|
||||||
|
# Must be readable by the service
|
||||||
|
owner = "nextcloud";
|
||||||
|
publicKeys = all;
|
||||||
|
};
|
||||||
|
|
||||||
"paperless/password.age".publicKeys = all;
|
"paperless/password.age".publicKeys = all;
|
||||||
"paperless/secret-key.age".publicKeys = all;
|
"paperless/secret-key.age".publicKeys = all;
|
||||||
|
|
Loading…
Reference in a new issue