Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / d8ae8d9fe17014aab45eeee7bcb17ccc8d9256c3 / . / modules / nixos / clicks / security / secrets / instability / default.nix
blob: f1362a472e1d1d322209ec0047382187c3b34f62 [file] [log] [blame]
Skyler Grey2b74eed2024-08-02 19:01:48 +0000[diff] [blame]1{ config, lib, ... }: {
2 options.clicks.security.secrets.instability.enable = lib.mkOption {
3 description = ''
4 Enable changing secret names using instability by default
5
6 This is useful, for example, to make systemd services restart without
7 fiddling with restart triggers, but could be detrimental to services like
8 nginx which can reload with zero downtime (but won't necessarily do so if
9 you swap secret files from under them)
10
11 This also works with agenix-rekey, and if you're using that then the
12 secret name will be based on the rekeyFile
13 '';
14 type = lib.types.bool;
15 default = config.clicks.security.secrets.enable;
16 };
17
18 options.age = {
19 # Extend age.secrets with the ability to have an unstable name
20 secrets = lib.mkOption {
21 type = lib.types.attrsOf (lib.types.submodule (submodule: {
22 options = {
23 unstableName = lib.mkOption {
24 type = lib.types.bool;
25 default = config.clicks.security.secrets.instability.enable;
26 example = true;
27 description = ''
28 Whether the name of this secret should be based on the (encrypted)
29 contents of its file
30
31 This is useful, for example, to make systemd services restart
32 without fiddling with restart triggers, but could be detrimental
33 to services like nginx which can reload with zero downtime (but
34 won't necessarily do so if you swap secret files from under them)
35
36 This also works with agenix-rekey, and if you're using that then
37 the secret name will be based on the rekeyFile
38 '';
39 };
40 };
41 config = {
42 # Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret
43 name = let
44 dependency = submodule.config.rekeyFile or submodule.config.file;
45 hash = builtins.hashFile "sha256" dependency;
46 in lib.mkIf submodule.config.unstableName hash;
47 };
48 }));
49 };
50 };
51}