forked from clan/clan-core
Compare commits
1 Commits
main
...
facts_refa
Author | SHA1 | Date | |
---|---|---|---|
17a01942b5 |
@ -19,7 +19,7 @@
|
|||||||
}
|
}
|
||||||
{
|
{
|
||||||
# secret override
|
# secret override
|
||||||
clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
|
clanCore.facts.services.matrix-synapse.public.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
|
||||||
services.nginx.virtualHosts."matrix.clan.test" = {
|
services.nginx.virtualHosts."matrix.clan.test" = {
|
||||||
enableACME = lib.mkForce false;
|
enableACME = lib.mkForce false;
|
||||||
forceSSL = lib.mkForce false;
|
forceSSL = lib.mkForce false;
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
"syncthing.key".source = ./introducer/introducer_test_key;
|
"syncthing.key".source = ./introducer/introducer_test_key;
|
||||||
"syncthing.api".source = ./introducer/introducer_test_api;
|
"syncthing.api".source = ./introducer/introducer_test_api;
|
||||||
};
|
};
|
||||||
clanCore.secrets.syncthing.secrets."syncthing.api".path = "/etc/syncthing.api";
|
clanCore.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
|
||||||
services.syncthing.cert = "/etc/syncthing.pam";
|
services.syncthing.cert = "/etc/syncthing.pam";
|
||||||
services.syncthing.key = "/etc/syncthing.key";
|
services.syncthing.key = "/etc/syncthing.key";
|
||||||
# Doesn't test zerotier!
|
# Doesn't test zerotier!
|
||||||
|
@ -26,7 +26,7 @@ in
|
|||||||
rsh = lib.mkOption {
|
rsh = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = "ssh -i ${
|
default = "ssh -i ${
|
||||||
config.clanCore.secrets.borgbackup.secrets."borgbackup.ssh".path
|
config.clanCore.facts.services.borgbackup.secret."borgbackup.ssh".path
|
||||||
} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
|
} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
|
||||||
description = "the rsh to use for the backup";
|
description = "the rsh to use for the backup";
|
||||||
};
|
};
|
||||||
@ -63,7 +63,7 @@ in
|
|||||||
|
|
||||||
encryption = {
|
encryption = {
|
||||||
mode = "repokey";
|
mode = "repokey";
|
||||||
passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}";
|
passCommand = "cat ${config.clanCore.facts.services.borgbackup.secret."borgbackup.repokey".path}";
|
||||||
};
|
};
|
||||||
|
|
||||||
prune.keep = {
|
prune.keep = {
|
||||||
@ -74,10 +74,10 @@ in
|
|||||||
};
|
};
|
||||||
}) cfg.destinations;
|
}) cfg.destinations;
|
||||||
|
|
||||||
clanCore.secrets.borgbackup = {
|
clanCore.facts.services.borgbackup = {
|
||||||
facts."borgbackup.ssh.pub" = { };
|
public."borgbackup.ssh.pub" = { };
|
||||||
secrets."borgbackup.ssh" = { };
|
secret."borgbackup.ssh" = { };
|
||||||
secrets."borgbackup.repokey" = { };
|
secret."borgbackup.repokey" = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
pkgs.openssh
|
pkgs.openssh
|
||||||
pkgs.coreutils
|
pkgs.coreutils
|
||||||
|
@ -54,14 +54,14 @@ in
|
|||||||
systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [
|
systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [
|
||||||
"+${pkgs.writeScript "copy_registration_shared_secret" ''
|
"+${pkgs.writeScript "copy_registration_shared_secret" ''
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
cp ${config.clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
|
cp ${config.clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||||
chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml
|
chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||||
chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml
|
chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||||
''}"
|
''}"
|
||||||
];
|
];
|
||||||
|
|
||||||
clanCore.secrets."matrix-synapse" = {
|
clanCore.facts.services."matrix-synapse" = {
|
||||||
secrets."synapse-registration_shared_secret" = { };
|
secret."synapse-registration_shared_secret" = { };
|
||||||
generator.path = with pkgs; [
|
generator.path = with pkgs; [
|
||||||
coreutils
|
coreutils
|
||||||
pwgen
|
pwgen
|
||||||
|
@ -13,10 +13,10 @@ in
|
|||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '/var/lib/moonlight' 0770 'user' 'users' - -"
|
"d '/var/lib/moonlight' 0770 'user' 'users' - -"
|
||||||
"C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
|
"C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
|
||||||
config.clanCore.secrets.moonlight.secrets."moonlight.cert".path or ""
|
config.clanCore.facts.services.moonlight.secret."moonlight.cert".path or ""
|
||||||
}"
|
}"
|
||||||
"C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
|
"C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
|
||||||
config.clanCore.secrets.moonlight.secrets."moonlight.key".path or ""
|
config.clanCore.facts.services.moonlight.secret."moonlight.key".path or ""
|
||||||
}"
|
}"
|
||||||
];
|
];
|
||||||
|
|
||||||
@ -45,7 +45,7 @@ in
|
|||||||
systemd.user.services.moonlight-join = {
|
systemd.user.services.moonlight-join = {
|
||||||
description = "Join sunshine hosts";
|
description = "Join sunshine hosts";
|
||||||
script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
|
script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
|
||||||
config.clanCore.secrets.moonlight.facts."moonlight.cert".value or ""
|
config.clanCore.facts.services.moonlight.public."moonlight.cert".value or ""
|
||||||
}' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
|
}' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
@ -68,7 +68,7 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
clanCore.secrets.moonlight = {
|
clanCore.facts.services.moonlight = {
|
||||||
secrets."moonlight.key" = { };
|
secrets."moonlight.key" = { };
|
||||||
secrets."moonlight.cert" = { };
|
secrets."moonlight.cert" = { };
|
||||||
facts."moonlight.cert" = { };
|
facts."moonlight.cert" = { };
|
||||||
|
@ -4,14 +4,14 @@
|
|||||||
|
|
||||||
services.openssh.hostKeys = [
|
services.openssh.hostKeys = [
|
||||||
{
|
{
|
||||||
path = config.clanCore.secrets.openssh.secrets."ssh.id_ed25519".path;
|
path = config.clanCore.facts.services.openssh.secret."ssh.id_ed25519".path;
|
||||||
type = "ed25519";
|
type = "ed25519";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
clanCore.secrets.openssh = {
|
clanCore.facts.services.openssh = {
|
||||||
secrets."ssh.id_ed25519" = { };
|
secret."ssh.id_ed25519" = { };
|
||||||
facts."ssh.id_ed25519.pub" = { };
|
public."ssh.id_ed25519.pub" = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
pkgs.coreutils
|
pkgs.coreutils
|
||||||
pkgs.openssh
|
pkgs.openssh
|
||||||
|
@ -97,10 +97,10 @@ in
|
|||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '/var/lib/sunshine' 0770 'user' 'users' - -"
|
"d '/var/lib/sunshine' 0770 'user' 'users' - -"
|
||||||
"C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
|
"C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
|
||||||
config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or ""
|
config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or ""
|
||||||
}"
|
}"
|
||||||
"C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
|
"C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
|
||||||
config.clanCore.secrets.sunshine.secrets."sunshine.key".path or ""
|
config.clanCore.facts.services.sunshine.secret."sunshine.key".path or ""
|
||||||
}"
|
}"
|
||||||
];
|
];
|
||||||
|
|
||||||
@ -117,8 +117,8 @@ in
|
|||||||
RestartSec = "5s";
|
RestartSec = "5s";
|
||||||
ReadWritePaths = [ "/var/lib/sunshine" ];
|
ReadWritePaths = [ "/var/lib/sunshine" ];
|
||||||
ReadOnlyPaths = [
|
ReadOnlyPaths = [
|
||||||
(config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "")
|
(config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "")
|
||||||
(config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "")
|
(config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "")
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
wantedBy = [ "graphical-session.target" ];
|
wantedBy = [ "graphical-session.target" ];
|
||||||
@ -137,7 +137,7 @@ in
|
|||||||
startLimitIntervalSec = 500;
|
startLimitIntervalSec = 500;
|
||||||
script = ''
|
script = ''
|
||||||
${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${
|
${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${
|
||||||
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null
|
config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
|
||||||
} --state-file /var/lib/sunshine/state.json
|
} --state-file /var/lib/sunshine/state.json
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@ -173,9 +173,9 @@ in
|
|||||||
startLimitIntervalSec = 500;
|
startLimitIntervalSec = 500;
|
||||||
script = ''
|
script = ''
|
||||||
${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${
|
${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${
|
||||||
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null
|
config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
|
||||||
} --state /var/lib/sunshine/state.json --cert '${
|
} --state /var/lib/sunshine/state.json --cert '${
|
||||||
config.clanCore.secrets.sunshine.facts."sunshine.cert".value or null
|
config.clanCore.facts.services.sunshine.public."sunshine.cert".value or null
|
||||||
}'
|
}'
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@ -187,11 +187,11 @@ in
|
|||||||
wantedBy = [ "graphical-session.target" ];
|
wantedBy = [ "graphical-session.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
clanCore.secrets.sunshine = {
|
clanCore.facts.services.sunshine = {
|
||||||
secrets."sunshine.key" = { };
|
secret."sunshine.key" = { };
|
||||||
secrets."sunshine.cert" = { };
|
secret."sunshine.cert" = { };
|
||||||
facts."sunshine-uuid" = { };
|
public."sunshine-uuid" = { };
|
||||||
facts."sunshine.cert" = { };
|
public."sunshine.cert" = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
pkgs.coreutils
|
pkgs.coreutils
|
||||||
ms-accept
|
ms-accept
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
id = lib.mkOption {
|
id = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
|
example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
|
||||||
default = config.clanCore.secrets.syncthing.facts."syncthing.pub".value or null;
|
default = config.clanCore.facts.services.syncthing.public."syncthing.pub".value or null;
|
||||||
};
|
};
|
||||||
introducer = lib.mkOption {
|
introducer = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
@ -112,7 +112,7 @@
|
|||||||
getPendingDevices = "/rest/cluster/pending/devices";
|
getPendingDevices = "/rest/cluster/pending/devices";
|
||||||
postNewDevice = "/rest/config/devices";
|
postNewDevice = "/rest/config/devices";
|
||||||
SharedFolderById = "/rest/config/folders/";
|
SharedFolderById = "/rest/config/folders/";
|
||||||
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null;
|
apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
|
||||||
in
|
in
|
||||||
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
||||||
description = "Syncthing auto accept devices";
|
description = "Syncthing auto accept devices";
|
||||||
@ -154,7 +154,7 @@
|
|||||||
|
|
||||||
systemd.services.syncthing-init-api-key =
|
systemd.services.syncthing-init-api-key =
|
||||||
let
|
let
|
||||||
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null;
|
apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
|
||||||
in
|
in
|
||||||
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
||||||
description = "Set the api key";
|
description = "Set the api key";
|
||||||
@ -176,11 +176,11 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
clanCore.secrets.syncthing = {
|
clanCore.facts.services.syncthing = {
|
||||||
secrets."syncthing.key" = { };
|
secret."syncthing.key" = { };
|
||||||
secrets."syncthing.cert" = { };
|
secret."syncthing.cert" = { };
|
||||||
secrets."syncthing.api" = { };
|
secret."syncthing.api" = { };
|
||||||
facts."syncthing.pub" = { };
|
public."syncthing.pub" = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
pkgs.coreutils
|
pkgs.coreutils
|
||||||
pkgs.gnugrep
|
pkgs.gnugrep
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
cfg = config.clan.networking.zerotier;
|
cfg = config.clan.networking.zerotier;
|
||||||
facts = config.clanCore.secrets.zerotier.facts or { };
|
facts = config.clanCore.facts.services.zerotier.public or { };
|
||||||
genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } ''
|
genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } ''
|
||||||
install -Dm755 ${./genmoon.py} $out/bin/genmoon
|
install -Dm755 ${./genmoon.py} $out/bin/genmoon
|
||||||
patchShebangs $out/bin/genmoon
|
patchShebangs $out/bin/genmoon
|
||||||
@ -112,7 +112,7 @@ in
|
|||||||
|
|
||||||
systemd.services.zerotierone.serviceConfig.ExecStartPre = [
|
systemd.services.zerotierone.serviceConfig.ExecStartPre = [
|
||||||
"+${pkgs.writeShellScript "init-zerotier" ''
|
"+${pkgs.writeShellScript "init-zerotier" ''
|
||||||
cp ${config.clanCore.secrets.zerotier.secrets.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
|
cp ${config.clanCore.facts.services.zerotier.secret.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
|
||||||
zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public
|
zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public
|
||||||
|
|
||||||
${lib.optionalString (cfg.controller.enable) ''
|
${lib.optionalString (cfg.controller.enable) ''
|
||||||
@ -180,10 +180,10 @@ in
|
|||||||
(lib.mkIf cfg.controller.enable {
|
(lib.mkIf cfg.controller.enable {
|
||||||
# only the controller needs to have the key in the repo, the other clients can be dynamic
|
# only the controller needs to have the key in the repo, the other clients can be dynamic
|
||||||
# we generate the zerotier code manually for the controller, since it's part of the bootstrap command
|
# we generate the zerotier code manually for the controller, since it's part of the bootstrap command
|
||||||
clanCore.secrets.zerotier = {
|
clanCore.facts.services.zerotier = {
|
||||||
facts.zerotier-ip = { };
|
public.zerotier-ip = { };
|
||||||
facts.zerotier-network-id = { };
|
public.zerotier-network-id = { };
|
||||||
secrets.zerotier-identity-secret = { };
|
secret.zerotier-identity-secret = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
config.services.zerotierone.package
|
config.services.zerotierone.package
|
||||||
pkgs.fakeroot
|
pkgs.fakeroot
|
||||||
@ -201,9 +201,9 @@ in
|
|||||||
environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ];
|
environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ];
|
||||||
})
|
})
|
||||||
(lib.mkIf (!cfg.controller.enable && cfg.networkId != null) {
|
(lib.mkIf (!cfg.controller.enable && cfg.networkId != null) {
|
||||||
clanCore.secrets.zerotier = {
|
clanCore.facts.services.zerotier = {
|
||||||
facts.zerotier-ip = { };
|
public.zerotier-ip = { };
|
||||||
secrets.zerotier-identity-secret = { };
|
secret.zerotier-identity-secret = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
config.services.zerotierone.package
|
config.services.zerotierone.package
|
||||||
pkgs.python3
|
pkgs.python3
|
||||||
|
Loading…
Reference in New Issue
Block a user