From 272ea1b92cceea0c57bdbe4ec6fa35774a36986c Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 10 Aug 2024 02:39:52 +0200 Subject: [PATCH] cluster/services/locksmith: support skipping secret updates --- cluster/services/locksmith/provider.nix | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/cluster/services/locksmith/provider.nix b/cluster/services/locksmith/provider.nix index e6af83d..060afa6 100644 --- a/cluster/services/locksmith/provider.nix +++ b/cluster/services/locksmith/provider.nix @@ -28,6 +28,10 @@ in command = mkOption { type = types.coercedTo types.package (package: "${package}") types.str; }; + checkUpdate = mkOption { + type = types.coercedTo types.package (package: "${package}") types.str; + default = "true"; + }; owner = mkOption { type = types.str; default = "root"; @@ -72,20 +76,24 @@ in activeNodes = lib.unique (lib.flatten (lib.mapAttrsToList (_: secret: secret.nodes) activeSecrets)); secretNames = map (name: "${providerRoot}-${name}/") (lib.attrNames activeSecrets); - createSecret = { path, nodes, owner, mode, group, command }: '' - consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode} - consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner} - consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group} - ${lib.concatStringsSep "\n" (map (node: '' - consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})" - '') nodes)} + createSecret = { path, nodes, owner, mode, group, command, checkUpdate }: '' + if (${checkUpdate}); then + consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode} + consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner} + consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group} + ${lib.concatStringsSep "\n" (map (node: '' + consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})" + '') nodes)} + else + echo Skipping update for ${lib.escapeShellArg path} + fi ''; in '' # create/update secrets ${lib.pipe activeSecrets [ (lib.mapAttrsToList (secretName: secretConfig: createSecret { path = "${providerRoot}-${secretName}"; - inherit (secretConfig) nodes mode owner group command; + inherit (secretConfig) nodes mode owner group command checkUpdate; })) (lib.concatStringsSep "\n") ]}