blob: f1362a472e1d1d322209ec0047382187c3b34f62 [file] [log] [blame]
{ config, lib, ... }: {
options.clicks.security.secrets.instability.enable = lib.mkOption {
description = ''
Enable changing secret names using instability by default
This is useful, for example, to make systemd services restart without
fiddling with restart triggers, but could be detrimental to services like
nginx which can reload with zero downtime (but won't necessarily do so if
you swap secret files from under them)
This also works with agenix-rekey, and if you're using that then the
secret name will be based on the rekeyFile
'';
type = lib.types.bool;
default = config.clicks.security.secrets.enable;
};
options.age = {
# Extend age.secrets with the ability to have an unstable name
secrets = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule (submodule: {
options = {
unstableName = lib.mkOption {
type = lib.types.bool;
default = config.clicks.security.secrets.instability.enable;
example = true;
description = ''
Whether the name of this secret should be based on the (encrypted)
contents of its file
This is useful, for example, to make systemd services restart
without fiddling with restart triggers, but could be detrimental
to services like nginx which can reload with zero downtime (but
won't necessarily do so if you swap secret files from under them)
This also works with agenix-rekey, and if you're using that then
the secret name will be based on the rekeyFile
'';
};
};
config = {
# Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret
name = let
dependency = submodule.config.rekeyFile or submodule.config.file;
hash = builtins.hashFile "sha256" dependency;
in lib.mkIf submodule.config.unstableName hash;
};
}));
};
};
}