Option to remove secrets

[pinpox]

Would it be possible to add some mechanism to remove secrets when they are removed from the configuration?

Consider two configured secrets like this:

            keys = {
              "test-secret1" = {
                keyCommand = [ "pass" "show" "nixos-secrets/ahorn/borg/passphrase1" ];
                destDir = "/var/src/colmena-keys"; 
              };
              "test-secret2" = {
                keyCommand = [ "pass" "show" "nixos-secrets/ahorn/borg/passphrase2" ];
                destDir = "/var/src/colmena-keys"; 
              };
          };

Which results in /var/src/colmena-keys/test-secret1 and /var/src/colmena-keys/test-secret2 being created. If one I remove one of those and re-deploy the configuration though, the file containing the secret will still be present on that host.

It would be nice to have an option to "clear" the secrets directory (in this case /var/src/colmena-keys) before copying all secrets, so that only keys present in the configuration will be present after a rebuild.

The default, temporary, location is not a solution for this problem as-is, because it requires to upload the keys again after a reboot. I have also considered adding something like

system.activationScripts.clean-secrets-dir =
  ''
    rm -rf /var/src/colmena-secrets/*
  '';
}

But I'm not sure if that would run before or after the copying of the secrets.

[zhaofengli]

One way is to have a list of secret files saved somewhere, and on activation perform a diff and delete those that are no longer in the new configuration.

[pinpox]

I'll see how I would go about implementing that, thanks for the hint! But wouldn't it be nice to have an option to execute commands pre/post deployment anyways? I imagine that could come in handy regardless of secrets.