cluster/services/locksmith: support skipping secret updates
This commit is contained in:
parent
ca3c7e3eb0
commit
272ea1b92c
1 changed files with 16 additions and 8 deletions
|
@ -28,6 +28,10 @@ in
|
|||
command = mkOption {
|
||||
type = types.coercedTo types.package (package: "${package}") types.str;
|
||||
};
|
||||
checkUpdate = mkOption {
|
||||
type = types.coercedTo types.package (package: "${package}") types.str;
|
||||
default = "true";
|
||||
};
|
||||
owner = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
|
@ -72,20 +76,24 @@ in
|
|||
activeNodes = lib.unique (lib.flatten (lib.mapAttrsToList (_: secret: secret.nodes) activeSecrets));
|
||||
secretNames = map (name: "${providerRoot}-${name}/") (lib.attrNames activeSecrets);
|
||||
|
||||
createSecret = { path, nodes, owner, mode, group, command }: ''
|
||||
consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode}
|
||||
consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner}
|
||||
consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group}
|
||||
${lib.concatStringsSep "\n" (map (node: ''
|
||||
consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})"
|
||||
'') nodes)}
|
||||
createSecret = { path, nodes, owner, mode, group, command, checkUpdate }: ''
|
||||
if (${checkUpdate}); then
|
||||
consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode}
|
||||
consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner}
|
||||
consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group}
|
||||
${lib.concatStringsSep "\n" (map (node: ''
|
||||
consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})"
|
||||
'') nodes)}
|
||||
else
|
||||
echo Skipping update for ${lib.escapeShellArg path}
|
||||
fi
|
||||
'';
|
||||
in ''
|
||||
# create/update secrets
|
||||
${lib.pipe activeSecrets [
|
||||
(lib.mapAttrsToList (secretName: secretConfig: createSecret {
|
||||
path = "${providerRoot}-${secretName}";
|
||||
inherit (secretConfig) nodes mode owner group command;
|
||||
inherit (secretConfig) nodes mode owner group command checkUpdate;
|
||||
}))
|
||||
(lib.concatStringsSep "\n")
|
||||
]}
|
||||
|
|
Loading…
Reference in a new issue