From aaeba9a3b826b7ede83749d277633f2a99527acd Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 3 Aug 2024 02:58:20 +0200 Subject: [PATCH] modules/external-storage: support locksmith secrets --- modules/external-storage/default.nix | 18 +++++++++++++++--- modules/external-storage/filesystem-type.nix | 4 ++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/modules/external-storage/default.nix b/modules/external-storage/default.nix index 4a9d0eb..50ad622 100644 --- a/modules/external-storage/default.nix +++ b/modules/external-storage/default.nix @@ -8,6 +8,8 @@ let cfgAge = config.age; create = lib.flip lib.mapAttrs'; + + createFiltered = pred: attrs: f: create (lib.filterAttrs pred attrs) f; in { @@ -20,12 +22,17 @@ in fileSystems = lib.mkOption { description = "S3QL-based filesystems on top of CIFS mountpoints."; default = {}; - type = with lib.types; lazyAttrsOf (submodule ({ config, name, ... }: { + type = with lib.types; lazyAttrsOf (submodule ({ config, name, ... }: let + authFile = if config.locksmithSecret != null then + "/run/locksmith/${config.locksmithSecret}" + else + cfgAge.secrets."storageAuth-${name}".path; + in { imports = [ ./filesystem-type.nix ]; backend = lib.mkIf (config.underlay != null) "local://${cfg.underlays.${config.underlay}.mountpoint}"; commonArgs = [ "--cachedir" config.cacheDir - "--authfile" cfgAge.secrets."storageAuth-${name}".path + "--authfile" authFile ] ++ (lib.optionals (config.backendOptions != []) [ "--backend-options" (lib.concatStringsSep "," config.backendOptions) ]); })); }; @@ -57,9 +64,14 @@ in age.secrets = lib.mkMerge [ (create cfg.underlays (name: ul: lib.nameValuePair "cifsCredentials-${name}" { file = ul.credentialsFile; })) - (create cfg.fileSystems (name: fs: lib.nameValuePair "storageAuth-${name}" { file = fs.authFile; })) + (createFiltered (_: fs: fs.locksmithSecret == null) cfg.fileSystems (name: fs: lib.nameValuePair "storageAuth-${name}" { file = fs.authFile; })) ]; + services.locksmith.waitForSecrets = createFiltered (_: fs: fs.locksmithSecret != null) cfg.fileSystems (name: fs: { + name = fs.unitName; + value = [ fs.locksmithSecret ]; + }); + fileSystems = create cfg.underlays (name: ul: { name = ul.mountpoint; value = { diff --git a/modules/external-storage/filesystem-type.nix b/modules/external-storage/filesystem-type.nix index 8cece5d..6f37094 100644 --- a/modules/external-storage/filesystem-type.nix +++ b/modules/external-storage/filesystem-type.nix @@ -22,6 +22,10 @@ with lib; authFile = mkOption { type = types.path; }; + locksmithSecret = mkOption { + type = with types; nullOr str; + default = null; + }; cacheDir = mkOption { type = types.path; default = "/var/cache/remote-storage/${name}";