Skyler Grey | 2b74eed | 2024-08-02 19:01:48 +0000 | [diff] [blame] | 1 | { config, lib, ... }: { |
| 2 | options.clicks.security.secrets.instability.enable = lib.mkOption { |
| 3 | description = '' |
| 4 | Enable changing secret names using instability by default |
| 5 | |
| 6 | This is useful, for example, to make systemd services restart without |
| 7 | fiddling with restart triggers, but could be detrimental to services like |
| 8 | nginx which can reload with zero downtime (but won't necessarily do so if |
| 9 | you swap secret files from under them) |
| 10 | |
| 11 | This also works with agenix-rekey, and if you're using that then the |
| 12 | secret name will be based on the rekeyFile |
| 13 | ''; |
| 14 | type = lib.types.bool; |
| 15 | default = config.clicks.security.secrets.enable; |
| 16 | }; |
| 17 | |
| 18 | options.age = { |
| 19 | # Extend age.secrets with the ability to have an unstable name |
| 20 | secrets = lib.mkOption { |
| 21 | type = lib.types.attrsOf (lib.types.submodule (submodule: { |
| 22 | options = { |
| 23 | unstableName = lib.mkOption { |
| 24 | type = lib.types.bool; |
| 25 | default = config.clicks.security.secrets.instability.enable; |
| 26 | example = true; |
| 27 | description = '' |
| 28 | Whether the name of this secret should be based on the (encrypted) |
| 29 | contents of its file |
| 30 | |
| 31 | This is useful, for example, to make systemd services restart |
| 32 | without fiddling with restart triggers, but could be detrimental |
| 33 | to services like nginx which can reload with zero downtime (but |
| 34 | won't necessarily do so if you swap secret files from under them) |
| 35 | |
| 36 | This also works with agenix-rekey, and if you're using that then |
| 37 | the secret name will be based on the rekeyFile |
| 38 | ''; |
| 39 | }; |
| 40 | }; |
| 41 | config = { |
| 42 | # Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret |
| 43 | name = let |
| 44 | dependency = submodule.config.rekeyFile or submodule.config.file; |
| 45 | hash = builtins.hashFile "sha256" dependency; |
| 46 | in lib.mkIf submodule.config.unstableName hash; |
| 47 | }; |
| 48 | })); |
| 49 | }; |
| 50 | }; |
| 51 | } |