Newer
Older
{ config, lib, pkgs, ... }@args:
let
cfg = config.deployment;
in {
# Force secrets to be in /etc/secrets instead of the default.
# Most modules default to `/run/keys` which is deleted on boot.
# Since the local private keys are in VCS anyway, this is safe.
options = {
deployment.secrets = lib.mkOption {
apply = lib.mapAttrs (k: v: v // {destination = "/etc/secrets/${k}";});
};
};
# Actually put the secrets into /etc/secrets
config = {
environment.etc = lib.mapAttrs'
(k: v: lib.nameValuePair "secrets/${k}" {
mode = "0444";
text = lib.readFile v.source;
})
cfg.secrets;
};
}