privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/locksmith: only run secret generation command once

Browse source
This commit is contained in:
Max Headroom 2024-08-10 02:48:34 +02:00
parent dbfb4d1078
commit e8e40f851d
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
cluster/services/locksmith/provider.nix
View file

@ -81,8 +81,10 @@ in
consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode} consul kv put ${lib.escapeShellArg path}/mode ${lib.escapeShellArg mode}
consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner} consul kv put ${lib.escapeShellArg path}/owner ${lib.escapeShellArg owner}
consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group} consul kv put ${lib.escapeShellArg path}/group ${lib.escapeShellArg group}
secret="$(mktemp -ut)"
(${command}) > "$secret"
${lib.concatStringsSep "\n" (map (node: '' ${lib.concatStringsSep "\n" (map (node: ''
consul kv put ${lib.escapeShellArg path}/recipient/${node} "$( (${command}) | age --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})" consul kv put ${lib.escapeShellArg path}/recipient/${node} "$(age < "$secret" --encrypt --armor -r ${lib.escapeShellArg depot.hours.${node}.ssh.id.publicKey})"
'') nodes)} '') nodes)}
else else
echo Skipping update for ${lib.escapeShellArg path} echo Skipping update for ${lib.escapeShellArg path}
@ -90,6 +92,7 @@ in
''; '';
in '' in ''
# create/update secrets # create/update secrets
umask 77
${lib.pipe activeSecrets [ ${lib.pipe activeSecrets [
(lib.mapAttrsToList (secretName: secretConfig: createSecret { (lib.mapAttrsToList (secretName: secretConfig: createSecret {
path = "${providerRoot}-${secretName}"; path = "${providerRoot}-${secretName}";