modules/external-storage: support locksmith secrets

This commit is contained in:
Max Headroom 2024-08-03 02:58:20 +02:00
parent 45f78f8cf1
commit ee161721ca
2 changed files with 19 additions and 3 deletions

View file

@ -8,6 +8,8 @@ let
cfgAge = config.age; cfgAge = config.age;
create = lib.flip lib.mapAttrs'; create = lib.flip lib.mapAttrs';
createFiltered = pred: attrs: f: create (lib.filterAttrs pred attrs) f;
in in
{ {
@ -20,12 +22,17 @@ in
fileSystems = lib.mkOption { fileSystems = lib.mkOption {
description = "S3QL-based filesystems on top of CIFS mountpoints."; description = "S3QL-based filesystems on top of CIFS mountpoints.";
default = {}; default = {};
type = with lib.types; lazyAttrsOf (submodule ({ config, name, ... }: { type = with lib.types; lazyAttrsOf (submodule ({ config, name, ... }: let
authFile = if config.locksmithSecret != null then
"/run/locksmith/${config.locksmithSecret}"
else
cfgAge.secrets."storageAuth-${name}".path;
in {
imports = [ ./filesystem-type.nix ]; imports = [ ./filesystem-type.nix ];
backend = lib.mkIf (config.underlay != null) "local://${cfg.underlays.${config.underlay}.mountpoint}"; backend = lib.mkIf (config.underlay != null) "local://${cfg.underlays.${config.underlay}.mountpoint}";
commonArgs = [ commonArgs = [
"--cachedir" config.cacheDir "--cachedir" config.cacheDir
"--authfile" cfgAge.secrets."storageAuth-${name}".path "--authfile" authFile
] ++ (lib.optionals (config.backendOptions != []) [ "--backend-options" (lib.concatStringsSep "," config.backendOptions) ]); ] ++ (lib.optionals (config.backendOptions != []) [ "--backend-options" (lib.concatStringsSep "," config.backendOptions) ]);
})); }));
}; };
@ -57,9 +64,14 @@ in
age.secrets = lib.mkMerge [ age.secrets = lib.mkMerge [
(create cfg.underlays (name: ul: lib.nameValuePair "cifsCredentials-${name}" { file = ul.credentialsFile; })) (create cfg.underlays (name: ul: lib.nameValuePair "cifsCredentials-${name}" { file = ul.credentialsFile; }))
(create cfg.fileSystems (name: fs: lib.nameValuePair "storageAuth-${name}" { file = fs.authFile; })) (createFiltered (_: fs: fs.locksmithSecret == null) cfg.fileSystems (name: fs: lib.nameValuePair "storageAuth-${name}" { file = fs.authFile; }))
]; ];
services.locksmith.waitForSecrets = createFiltered (_: fs: fs.locksmithSecret != null) cfg.fileSystems (name: fs: {
name = fs.unitName;
value = [ fs.locksmithSecret ];
});
fileSystems = create cfg.underlays (name: ul: { fileSystems = create cfg.underlays (name: ul: {
name = ul.mountpoint; name = ul.mountpoint;
value = { value = {

View file

@ -22,6 +22,10 @@ with lib;
authFile = mkOption { authFile = mkOption {
type = types.path; type = types.path;
}; };
locksmithSecret = mkOption {
type = with types; nullOr str;
default = null;
};
cacheDir = mkOption { cacheDir = mkOption {
type = types.path; type = types.path;
default = "/var/cache/remote-storage/${name}"; default = "/var/cache/remote-storage/${name}";