privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/locksmith: support skipping secret updates

Browse source
This commit is contained in:
Max Headroom 2024-08-10 02:39:52 +02:00
parent 196c62b5e2
commit dbfb4d1078
1 changed files with 16 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
cluster/services/locksmith/provider.nix
View file

@ -28,6 +28,10 @@ in
command = mkOption { command = mkOption {
type = types.coercedTo types.package (package: "${package}") types.str; type = types.coercedTo types.package (package: "${package}") types.str;
}; };
checkUpdate = mkOption {
type = types.coercedTo types.package (package: "${package}") types.str;
default = "true";
};
owner = mkOption { owner = mkOption {
type = types.str; type = types.str;
default = "root"; default = "root";
@ -72,20 +76,24 @@ in
activeNodes = lib.unique (lib.flatten (lib.mapAttrsToList (_: secret: secret.nodes) activeSecrets)); activeNodes = lib.unique (lib.flatten (lib.mapAttrsToList (_: secret: secret.nodes) activeSecrets));
secretNames = map (name: "${providerRoot}-${name}/") (lib.attrNames activeSecrets); secretNames = map (name: "${providerRoot}-${name}/") (lib.attrNames activeSecrets);
createSecret = { path, nodes, owner, mode, group, command }: '' createSecret = { path, nodes, owner, mode, group, command, checkUpdate }: ''
consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode} if (${checkUpdate}); then
consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner} consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode}
consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group} consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner}
${lib.concatStringsSep "\n" (map (node: '' consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group}
consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})" ${lib.concatStringsSep "\n" (map (node: ''
'') nodes)} consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})"
'') nodes)}
else
echo Skipping update for ${lib.escapeShellArg path}
fi
''; '';
in '' in ''
# create/update secrets # create/update secrets
${lib.pipe activeSecrets [ ${lib.pipe activeSecrets [
(lib.mapAttrsToList (secretName: secretConfig: createSecret { (lib.mapAttrsToList (secretName: secretConfig: createSecret {
path = "${providerRoot}-${secretName}"; path = "${providerRoot}-${secretName}";
inherit (secretConfig) nodes mode owner group command; inherit (secretConfig) nodes mode owner group command checkUpdate;
})) }))
(lib.concatStringsSep "\n") (lib.concatStringsSep "\n")
]} ]}