traits: consistently describe manageSecrets options

author: seth <[email protected]> 2024-02-08 21:06:05 -0500
committer: seth <[email protected]> 2024-02-09 01:17:16 -0500
commit: ad495f74ff4b9c276ba4c5f109c04eb0723b5d41 (patch)
tree: 153fee230ee3c465f609eec078be476e5f65c09c /modules/nixos/traits/hercules.nix
parent: 3b2a1241d5e23b71009db5a5a7e962a317e436ee (diff)
1 files changed, 26 insertions, 22 deletions
diff --git a/modules/nixos/traits/hercules.nix b/modules/nixos/traits/hercules.nix
index fc3dbd0..14e8c12 100644
--- a/modules/nixos/traits/hercules.nix
+++ b/modules/nixos/traits/hercules.nix
@@ -9,39 +9,43 @@
 in {
   options.traits.hercules-ci = {
     enable = lib.mkEnableOption "hercules-ci";
-    manageSecrets = lib.mkEnableOption "automatic secrets management";
+    manageSecrets =
+      lib.mkEnableOption "automatic secrets management"
+      // {
+        default = config.traits.secrets.enable;
+      };
   };
 
   config = lib.mkIf cfg.enable (
     lib.mkMerge [
       {
-        services = {
-          hercules-ci-agent = {
-            enable = true;
-            package = unstable.hercules-ci-agent;
-            settings = {
-              binaryCachesPath = config.age.secrets.binaryCache.path;
-              clusterJoinTokenPath = config.age.secrets.clusterToken.path;
-              secretsJsonPath = config.age.secrets.secretsJson.path;
-            };
-          };
+        services.hercules-ci-agent = {
+          enable = true;
+          package = unstable.hercules-ci-agent;
         };
       }
 
       (let
-        hercArgs = {
-          mode = "400";
-          owner = "hercules-ci-agent";
-          group = "hercules-ci-agent";
-        };
-
-        mkSecrets = lib.mapAttrs (_: file: lib.recursiveUpdate hercArgs {inherit file;});
+        secretNames = [
+          "binaryCaches"
+          "clusterJoinToken"
+          "secretsJson"
+        ];
       in
         lib.mkIf cfg.manageSecrets {
-          age.secrets = mkSecrets {
-            binaryCache = secretsDir + "/binaryCache.age";
-            clusterToken = secretsDir + "/clusterToken.age";
-            secretsJson = secretsDir + "/secretsJson.age";
+          age.secrets = lib.genAttrs secretNames (
+            file: {
+              file = "${secretsDir}/${file}.age";
+              mode = "400";
+              owner = "hercules-ci-agent";
+              group = "hercules-ci-agent";
+            }
+          );
+
+          services.hercules-ci-agent = {
+            settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) (
+              lib.genAttrs secretNames (name: config.age.secrets.${name}.path)
+            );
           };
         })
     ]
author	seth <[email protected]>	2024-02-08 21:06:05 -0500
committer	seth <[email protected]>	2024-02-09 01:17:16 -0500
commit	ad495f74ff4b9c276ba4c5f109c04eb0723b5d41 (patch)
tree	153fee230ee3c465f609eec078be476e5f65c09c /modules/nixos/traits/hercules.nix
parent	3b2a1241d5e23b71009db5a5a7e962a317e436ee (diff)