]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/options.nix
mermet: nginx: remove old sites
[sourcephile-nix.git] / nixos / options.nix
1 { lib, config, hostName, ... }:
2 with lib;
3 {
4 options = {
5 security.initrd = {
6 secrets = lib.mkOption {
7 type = types.attrsOf types.str;
8 default = { };
9 description = ''
10 Map some secrets for the initrd.
11 '';
12 };
13 install = lib.mkOption {
14 type = types.str;
15 default = "";
16 description = ''
17 Script to decrypt and send some secrets for the initrd.
18 '';
19 };
20 stage1Dir = lib.mkOption {
21 type = types.str;
22 default = "/run/initrd-secrets";
23 description = ''
24 Where to store the secrets in the stage1
25 for `boot.initrd.secrets` to install them in the initrd.
26 '';
27 };
28 # Alas, nixos/modules/system/boot/initrd-ssh.nix
29 # forces stage2Dir == stage1Dir
30 stage2Dir = lib.mkOption {
31 type = types.str;
32 default = "/run/initrd-secrets";
33 description = ''
34 Where to store the secrets in the stage2
35 for `boot.initrd.secrets` to retrieve them when rebuilding the system.
36 '';
37 };
38 };
39 };
40 config = {
41 security.initrd.install =
42 lib.concatStringsSep "\n" (lib.mapAttrsToList
43 (dst: src: ''
44 gpg --decrypt "${src}" |
45 ssh "${config.install.target}" \
46 install -D -m 400 -o root -g root /dev/stdin "${config.security.initrd.stage2Dir}/${dst}"
47 '')
48 config.security.initrd.secrets
49 );
50 boot.initrd.secrets = mapAttrs'
51 (dst: src:
52 nameValuePair
53 "${config.security.initrd.stage1Dir}/${dst}"
54 "${config.security.initrd.stage2Dir}/${dst}"
55 )
56 config.security.initrd.secrets;
57 };
58 }