about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-04-13 13:49:17 -0700
committerFranck Cuny <franck@fcuny.net>2022-04-13 13:49:17 -0700
commitfb13f9d23a34812a6fa0407557b207a8636663cf (patch)
tree6ac8b6d8650c32d262953cc0b3f7722fff072b85 /modules
parentgrafana: use proper cert (diff)
downloadworld-fb13f9d23a34812a6fa0407557b207a8636663cf.tar.gz
secrets: we can specify which user owns it
Diffstat (limited to 'modules')
-rw-r--r--modules/secrets/default.nix9
1 files changed, 7 insertions, 2 deletions
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 20dbfd2..296f5fc 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -9,12 +9,17 @@ in {
 
   config.age = {
     secrets = let
+      toName = lib.removeSuffix ".age";
       userExists = u: builtins.hasAttr u config.users.users;
       # Only set the user if it exists, to avoid warnings
       userIfExists = u: if userExists u then u else "root";
+      toSecret = name:
+        { owner ? "root", ... }: {
+          file = "${secretsDir}/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
     in if pathExists secretsFile then
-      mapAttrs' (n: _:
-        nameValuePair (removeSuffix ".age" n) { file = "${secretsDir}/${n}"; })
+      mapAttrs' (n: v: nameValuePair (toName n) (toSecret n v))
       (import secretsFile)
     else
       { };