cluster/lib: add secrets options

2024-07-06 23:43:02 +02:00 · 2024-07-06 23:43:02 +02:00 · 8adc26c5c3
commit 8adc26c5c3
parent 0a390ad0d7
4 changed files with 70 additions and 0 deletions
--- a/cluster/default.nix
+++ b/cluster/default.nix
@ -15,6 +15,7 @@ lib.evalModules {
    ./lib/inject-nixos-config.nix
    ./lib/port-magic-multi.nix
    ./lib/mesh.nix
+    ./lib/secrets.nix

    ./import-services.nix
  ];
--- a/cluster/lib/secrets.nix
+++ b/cluster/lib/secrets.nix
@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  options.secrets = {
+    extraKeys = lib.mkOption {
+      type = with lib.types; listOf str;
+      description = "Additional keys with which to encrypt all secrets.";
+      default = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5C7mC5S2gM0K6x0L/jNwAeQYbFSzs16Q73lONUlIkL max@TITAN"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho"
+      ];
+    };
+  };
+}
--- a/cluster/lib/service-module.nix
+++ b/cluster/lib/service-module.nix
@ -7,6 +7,10 @@ let
 in

 {
+  imports = [
+    ./services/secrets.nix
+  ];
+
  options = {
    nodes = mkOption {
      description = ''
--- a/cluster/lib/services/secrets.nix
+++ b/cluster/lib/services/secrets.nix
@ -0,0 +1,51 @@
+{ lib, name, ... }:
+
+let
+  serviceName = name;
+in
+
+{
+  options.secrets = lib.mkOption {
+    type = lib.types.lazyAttrsOf (lib.types.submodule ({ config, name, ... }: {
+      options = {
+        shared = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          description = "Whether this secret should be the same on all nodes.";
+        };
+
+        nodes = lib.mkOption {
+          type = with lib.types; listOf str;
+          default = [ ];
+        };
+
+        generate = lib.mkOption {
+          type = with lib.types; nullOr (functionTo str);
+          description = "Command used to generate this secret.";
+          default = null;
+        };
+
+        path = lib.mkOption {
+          type = lib.types.path;
+          default = "/run/agenix/cluster-${serviceName}-${name}";
+        };
+
+        mode = lib.mkOption {
+          type = lib.types.str;
+          default = "0400";
+        };
+
+        owner = lib.mkOption {
+          type = lib.types.str;
+          default = "root";
+        };
+
+        group = lib.mkOption {
+          type = lib.types.str;
+          default = "root";
+        };
+      };
+    }));
+    default = {};
+  };
+}