| { config, lib, ... }: { |
| options.clicks.security.secrets.instability.enable = lib.mkOption { |
| description = '' |
| Enable changing secret names using instability by default |
| |
| This is useful, for example, to make systemd services restart without |
| fiddling with restart triggers, but could be detrimental to services like |
| nginx which can reload with zero downtime (but won't necessarily do so if |
| you swap secret files from under them) |
| |
| This also works with agenix-rekey, and if you're using that then the |
| secret name will be based on the rekeyFile |
| ''; |
| type = lib.types.bool; |
| default = config.clicks.security.secrets.enable; |
| }; |
| |
| options.age = { |
| # Extend age.secrets with the ability to have an unstable name |
| secrets = lib.mkOption { |
| type = lib.types.attrsOf (lib.types.submodule (submodule: { |
| options = { |
| unstableName = lib.mkOption { |
| type = lib.types.bool; |
| default = config.clicks.security.secrets.instability.enable; |
| example = true; |
| description = '' |
| Whether the name of this secret should be based on the (encrypted) |
| contents of its file |
| |
| This is useful, for example, to make systemd services restart |
| without fiddling with restart triggers, but could be detrimental |
| to services like nginx which can reload with zero downtime (but |
| won't necessarily do so if you swap secret files from under them) |
| |
| This also works with agenix-rekey, and if you're using that then |
| the secret name will be based on the rekeyFile |
| ''; |
| }; |
| }; |
| config = { |
| # Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret |
| name = let |
| dependency = submodule.config.rekeyFile or submodule.config.file; |
| hash = builtins.hashFile "sha256" dependency; |
| in lib.mkIf submodule.config.unstableName hash; |
| }; |
| })); |
| }; |
| }; |
| } |