Blame - modules/nixos/clicks/security/secrets/instability/default.nix - Infra/NixFiles

blob: e276c139cd40468c7b95ca9b8fcfb783c6f3825b [file] [log] [blame]

Skyler Grey	2b74eed	2024-08-02 19:01:48 +0000	[diff] [blame]	1	{ config, lib, ... }: {
				2	options.clicks.security.secrets.instability.enable = lib.mkOption {
				3	description = ''
				4	Enable changing secret names using instability by default
				5
				6	This is useful, for example, to make systemd services restart without
				7	fiddling with restart triggers, but could be detrimental to services like
				8	nginx which can reload with zero downtime (but won't necessarily do so if
				9	you swap secret files from under them)
				10
				11	This also works with agenix-rekey, and if you're using that then the
				12	secret name will be based on the rekeyFile
				13	'';
				14	type = lib.types.bool;
				15	default = config.clicks.security.secrets.enable;
				16	};
				17
				18	options.age = {
				19	# Extend age.secrets with the ability to have an unstable name
				20	secrets = lib.mkOption {
				21	type = lib.types.attrsOf (lib.types.submodule (submodule: {
				22	options = {
Skyler Grey	ec13fbd	2024-08-03 08:11:04 +0000	[diff] [blame^]	23	name = lib.mkOption {
				24	type = lib.types.str;
				25	};
Skyler Grey	2b74eed	2024-08-02 19:01:48 +0000	[diff] [blame]	26	unstableName = lib.mkOption {
				27	type = lib.types.bool;
				28	default = config.clicks.security.secrets.instability.enable;
				29	example = true;
				30	description = ''
				31	Whether the name of this secret should be based on the (encrypted)
				32	contents of its file
				33
				34	This is useful, for example, to make systemd services restart
				35	without fiddling with restart triggers, but could be detrimental
				36	to services like nginx which can reload with zero downtime (but
				37	won't necessarily do so if you swap secret files from under them)
				38
				39	This also works with agenix-rekey, and if you're using that then
				40	the secret name will be based on the rekeyFile
				41	'';
				42	};
				43	};
Skyler Grey	ec13fbd	2024-08-03 08:11:04 +0000	[diff] [blame^]	44	config = lib.mkIf submodule.config.unstableName {
Skyler Grey	2b74eed	2024-08-02 19:01:48 +0000	[diff] [blame]	45	# Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret
				46	name = let
				47	dependency = submodule.config.rekeyFile or submodule.config.file;
				48	hash = builtins.hashFile "sha256" dependency;
Skyler Grey	ec13fbd	2024-08-03 08:11:04 +0000	[diff] [blame^]	49	in hash;
Skyler Grey	2b74eed	2024-08-02 19:01:48 +0000	[diff] [blame]	50	};
				51	}));
				52	};
				53	};
				54	}