modularize the secrets-permissions module

common/secrets-permissions.nix

@@ -1,8 +1,22 @@
 # This module enforces permissions on secrets stored on the machines.
 
-{ config, ... }:
+{ config, lib, ... }:
 
+with lib;
+
+let
+  cfg = config.custom.secrets;
+in
 {
+  options.custom.secrets = {
+    extraCommands = mkOption {
+      default = "";
+      type = types.lines;
+      description = lib.mdDoc "extra commands to populate /etc/secrets";
+    };
+  };
+
+  config = {
     system.activationScripts."secrets-permissions" = ''
       # Default to restrictive permissions on secrets.
       # Root can alway read/write/traverse directories no matter the permissions
@@ -18,7 +32,6 @@
       # The top directory must be readable and traversable by thoses who need to
       # access secrets.
       chmod 755 /etc/secrets
-
+    '' + cfg.extraCommands;
-    # ... add chowns & chmods to specific users/groups when needed
+  };
-  '';
 }

pastila/smtp.nix

@@ -922,24 +922,8 @@ dovecot_plain:
     group = config.services.exim.group;
   };
 
-  # FIXME
   environment.systemPackages = [ pkgs.acl ];
-  system.activationScripts."secrets-permissions" = lib.mkForce ''
+  custom.secrets.extraCommands = ''
-    # Default to restrictive permissions on secrets.
-    # Root can alway read/write/traverse directories no matter the permissions
-    # set.
-
-    mkdir -p /etc/secrets
-
-    chown --recursive root:root /etc/secrets
-    chmod --recursive 600 /etc/secrets
-
-    # Relax permissions on some secrets.
-
-    # The top directory must be readable and traversable by thoses who need to
-    # access secrets.
-    chmod 755 /etc/secrets
-
     mkdir -p /etc/secrets/exim/virtual
     mkdir -p /etc/secrets/exim/domains
     chmod 700 /etc/secrets/exim