modules/external-storage: support locksmith secrets
This commit is contained in:
parent
45f78f8cf1
commit
ee161721ca
2 changed files with 19 additions and 3 deletions
|
@ -8,6 +8,8 @@ let
|
||||||
cfgAge = config.age;
|
cfgAge = config.age;
|
||||||
|
|
||||||
create = lib.flip lib.mapAttrs';
|
create = lib.flip lib.mapAttrs';
|
||||||
|
|
||||||
|
createFiltered = pred: attrs: f: create (lib.filterAttrs pred attrs) f;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -20,12 +22,17 @@ in
|
||||||
fileSystems = lib.mkOption {
|
fileSystems = lib.mkOption {
|
||||||
description = "S3QL-based filesystems on top of CIFS mountpoints.";
|
description = "S3QL-based filesystems on top of CIFS mountpoints.";
|
||||||
default = {};
|
default = {};
|
||||||
type = with lib.types; lazyAttrsOf (submodule ({ config, name, ... }: {
|
type = with lib.types; lazyAttrsOf (submodule ({ config, name, ... }: let
|
||||||
|
authFile = if config.locksmithSecret != null then
|
||||||
|
"/run/locksmith/${config.locksmithSecret}"
|
||||||
|
else
|
||||||
|
cfgAge.secrets."storageAuth-${name}".path;
|
||||||
|
in {
|
||||||
imports = [ ./filesystem-type.nix ];
|
imports = [ ./filesystem-type.nix ];
|
||||||
backend = lib.mkIf (config.underlay != null) "local://${cfg.underlays.${config.underlay}.mountpoint}";
|
backend = lib.mkIf (config.underlay != null) "local://${cfg.underlays.${config.underlay}.mountpoint}";
|
||||||
commonArgs = [
|
commonArgs = [
|
||||||
"--cachedir" config.cacheDir
|
"--cachedir" config.cacheDir
|
||||||
"--authfile" cfgAge.secrets."storageAuth-${name}".path
|
"--authfile" authFile
|
||||||
] ++ (lib.optionals (config.backendOptions != []) [ "--backend-options" (lib.concatStringsSep "," config.backendOptions) ]);
|
] ++ (lib.optionals (config.backendOptions != []) [ "--backend-options" (lib.concatStringsSep "," config.backendOptions) ]);
|
||||||
}));
|
}));
|
||||||
};
|
};
|
||||||
|
@ -57,9 +64,14 @@ in
|
||||||
|
|
||||||
age.secrets = lib.mkMerge [
|
age.secrets = lib.mkMerge [
|
||||||
(create cfg.underlays (name: ul: lib.nameValuePair "cifsCredentials-${name}" { file = ul.credentialsFile; }))
|
(create cfg.underlays (name: ul: lib.nameValuePair "cifsCredentials-${name}" { file = ul.credentialsFile; }))
|
||||||
(create cfg.fileSystems (name: fs: lib.nameValuePair "storageAuth-${name}" { file = fs.authFile; }))
|
(createFiltered (_: fs: fs.locksmithSecret == null) cfg.fileSystems (name: fs: lib.nameValuePair "storageAuth-${name}" { file = fs.authFile; }))
|
||||||
];
|
];
|
||||||
|
|
||||||
|
services.locksmith.waitForSecrets = createFiltered (_: fs: fs.locksmithSecret != null) cfg.fileSystems (name: fs: {
|
||||||
|
name = fs.unitName;
|
||||||
|
value = [ fs.locksmithSecret ];
|
||||||
|
});
|
||||||
|
|
||||||
fileSystems = create cfg.underlays (name: ul: {
|
fileSystems = create cfg.underlays (name: ul: {
|
||||||
name = ul.mountpoint;
|
name = ul.mountpoint;
|
||||||
value = {
|
value = {
|
||||||
|
|
|
@ -22,6 +22,10 @@ with lib;
|
||||||
authFile = mkOption {
|
authFile = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
};
|
};
|
||||||
|
locksmithSecret = mkOption {
|
||||||
|
type = with types; nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
cacheDir = mkOption {
|
cacheDir = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
default = "/var/cache/remote-storage/${name}";
|
default = "/var/cache/remote-storage/${name}";
|
||||||
|
|
Loading…
Reference in a new issue