syncoid: add support for LoadCredentialEncrypted=

NixOS · Oct 8, 2022 · 4d51cf6 · 4d51cf6
1 parent a28d0ec
commit 4d51cf6
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
@@ -47,13 +47,13 @@ in
     };
 
     sshKey = mkOption {
-      type = types.nullOr types.path;
-      # Prevent key from being copied to store
-      apply = mapNullable toString;
+      type = types.nullOr types.str;
       default = null;
       description = lib.mdDoc ''
         SSH private key file to use to login to the remote system. Can be
         overridden in individual commands.
+        The key is decrypted using `LoadCredentialEncrypted`
+        whenever the file begins with a credential name and a colon.
         For more SSH tuning, you may use syncoid's `--sshoption`
         in {option}`services.syncoid.commonArgs`
         and/or in the `extraArgs` of a specific command.
@@ -130,9 +130,7 @@ in
           recursive = mkEnableOption (lib.mdDoc ''the transfer of child datasets'');
 
           sshKey = mkOption {
-            type = types.nullOr types.path;
-            # Prevent key from being copied to store
-            apply = mapNullable toString;
+            type = types.nullOr types.str;
             description = lib.mdDoc ''
               SSH private key file to use to login to the remote system.
               Defaults to {option}`services.syncoid.sshKey` option.
@@ -229,7 +227,9 @@ in
     ];
 
     systemd.services = mapAttrs'
-      (name: c:
+      (name: c: let
+          sshKeyCred = builtins.split ":" c.sshKey;
+        in
         nameValuePair "syncoid-${escapeUnitName name}" (mkMerge [
           {
             description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
@@ -281,7 +281,7 @@ in
               ExecStart = escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ]
                 ++ optionals c.useCommonArgs cfg.commonArgs
                 ++ optional c.recursive "--recursive"
-                ++ optionals (c.sshKey != null) [ "--sshkey" "\${CREDENTIALS_DIRECTORY}/ssh-key" ]
+                ++ optionals (c.sshKey != null) [ "--sshkey" "\${CREDENTIALS_DIRECTORY}/${if length sshKeyCred > 1 then head sshKeyCred else "sshKey"}" ]
                 ++ c.extraArgs
                 ++ [
                 "--sendoptions"
@@ -293,7 +293,6 @@ in
                 c.target
               ]);
               DynamicUser = true;
-              LoadCredential = [ "ssh-key:${c.sshKey}" ];
               # Prevent SSH control sockets of different syncoid services from interfering
               PrivateTmp = true;
               # Permissive access to /proc because syncoid
@@ -354,7 +353,11 @@ in
               # This is for BindPaths= and BindReadOnlyPaths=
               # to allow traversal of directories they create in RootDirectory=.
               UMask = "0066";
-            };
+            } //
+            (
+            if length sshKeyCred > 1
+            then { LoadCredentialEncrypted = [ c.sshKey ]; }
+            else { LoadCredential = [ "sshKey:${c.sshKey}" ]; });
           }
           cfg.service
           c.service