colmena
colmena copied to clipboard
Option to remove secrets
Would it be possible to add some mechanism to remove secrets when they are removed from the configuration?
Consider two configured secrets like this:
keys = {
"test-secret1" = {
keyCommand = [ "pass" "show" "nixos-secrets/ahorn/borg/passphrase1" ];
destDir = "/var/src/colmena-keys";
};
"test-secret2" = {
keyCommand = [ "pass" "show" "nixos-secrets/ahorn/borg/passphrase2" ];
destDir = "/var/src/colmena-keys";
};
};
Which results in /var/src/colmena-keys/test-secret1
and /var/src/colmena-keys/test-secret2
being created. If one I remove one of those and re-deploy the configuration though, the file containing the secret will still be present on that host.
It would be nice to have an option to "clear" the secrets directory (in this case /var/src/colmena-keys
) before copying all secrets, so that only keys present in the configuration will be present after a rebuild.
The default, temporary, location is not a solution for this problem as-is, because it requires to upload the keys again after a reboot. I have also considered adding something like
system.activationScripts.clean-secrets-dir =
''
rm -rf /var/src/colmena-secrets/*
'';
}
But I'm not sure if that would run before or after the copying of the secrets.
One way is to have a list of secret files saved somewhere, and on activation perform a diff and delete those that are no longer in the new configuration.
I'll see how I would go about implementing that, thanks for the hint! But wouldn't it be nice to have an option to execute commands pre/post deployment anyways? I imagine that could come in handy regardless of secrets.