modules: secrets: add 'owner' logic

This commit is contained in:
Bruno BELANYI 2021-09-26 19:19:35 +02:00
parent 5f41bb1647
commit 30eaefc1d1
4 changed files with 11 additions and 13 deletions

View file

@ -6,7 +6,6 @@
./boot.nix
./hardware.nix
./networking.nix
./secrets.nix
./services.nix
./users.nix
];

View file

@ -1,8 +0,0 @@
# Secrets configuration
{ ... }:
{
config.age.secrets = {
# Must be readable by the service
"nextcloud/password".owner = "nextcloud";
};
}

View file

@ -1,4 +1,4 @@
{ inputs, lib, options, ... }:
{ config, inputs, lib, options, ... }:
{
imports = [
@ -9,9 +9,12 @@
secrets =
let
toName = lib.removeSuffix ".age";
toSecret = name: _: {
userExists = u: builtins.hasAttr u config.users.users;
# Only set the user if it exists, to avoid warnings
userIfExists = u: if userExists u then u else "root";
toSecret = name: { owner ? "root", ... }: {
file = ./. + "/${name}";
owner = lib.mkDefault "root";
owner = lib.mkDefault (userIfExists owner);
};
convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
secrets = import ./secrets.nix;

View file

@ -27,7 +27,11 @@ in
"monitoring/password.age".publicKeys = all;
"nextcloud/password.age".publicKeys = all;
"nextcloud/password.age" = {
# Must be readable by the service
owner = "nextcloud";
publicKeys = all;
};
"paperless/password.age".publicKeys = all;
"paperless/secret-key.age".publicKeys = all;