Infinidoge/universe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

secrets: only decrypt explicitly declared secrets

Browse source
This commit is contained in:
Infinidoge 2024-01-24 14:20:47 -05:00
parent 65ff376fee
commit 8ea1a92e12
Signed by: Infinidoge
SSH key fingerprint: SHA256:oAMyvotlNFraMmZmr+p6AxnNfW/GioTs1pOn3V4tQ7A
1 changed files with 14 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

18
secrets/default.nix
View file

@ -10,7 +10,7 @@ let
filtered = (filterAttrs filterSecrets (builtins.readDir folder)); filtered = (filterAttrs filterSecrets (builtins.readDir folder));
secrets = mapAttrs' (n: v: nameValuePair (removeSuffix ".age" n) { file = toFile n; }) filtered; secrets = mapAttrs' (n: v: nameValuePair (removeSuffix ".age" n) { file = toFile n; }) filtered;
setOwner = name: { owner = name; group = name; }; withOwner = name: secret: secret // { owner = name; group = name; };
in in
{ {
options = { options = {
@ -18,19 +18,17 @@ in
secrets = mkOpt (attrsOf path) { }; secrets = mkOpt (attrsOf path) { };
}; };
config = mkMerge [ config = mkIf config.modules.secrets.enable {
{
age.secrets = mkIf config.modules.secrets.enable secrets;
secrets = mapAttrs (n: v: v.path) config.age.secrets; secrets = mapAttrs (n: v: v.path) config.age.secrets;
} age.secrets = mkMerge [
{ inherit (secrets) "infinidoge-password" "root-password" "binary-cache-private-key"; }
# Set ownership of keys
(mkIf config.services.nginx.enable { (mkIf config.services.nginx.enable {
age.secrets."inx.moe.pem" = setOwner "nginx"; "inx.moe.pem" = withOwner "nginx" secrets."inx.moe.pem";
age.secrets."inx.moe.key" = setOwner "nginx"; "inx.moe.key" = withOwner "nginx" secrets."inx.moe.key";
}) })
(mkIf config.services.vaultwarden.enable { (mkIf config.services.vaultwarden.enable {
age.secrets."vaultwarden" = setOwner "vaultwarden"; "vaultwarden" = withOwner "vaultwarden" secrets."vaultwarden";
}) })
]; ];
};
} }