migrate secrets to new api
This commit is contained in:
parent
a8d35d37e7
commit
65d116ec28
@ -19,7 +19,7 @@
|
||||
}
|
||||
{
|
||||
# secret override
|
||||
clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
|
||||
clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
|
||||
services.nginx.virtualHosts."matrix.clan.test" = {
|
||||
enableACME = lib.mkForce false;
|
||||
forceSSL = lib.mkForce false;
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
"syncthing.key".source = ./introducer/introducer_test_key;
|
||||
"syncthing.api".source = ./introducer/introducer_test_api;
|
||||
};
|
||||
clanCore.secrets.syncthing.secrets."syncthing.api".path = "/etc/syncthing.api";
|
||||
clanCore.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
|
||||
services.syncthing.cert = "/etc/syncthing.pam";
|
||||
services.syncthing.key = "/etc/syncthing.key";
|
||||
# Doesn't test zerotier!
|
||||
|
||||
@ -26,7 +26,7 @@ in
|
||||
rsh = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "ssh -i ${
|
||||
config.clanCore.secrets.borgbackup.secrets."borgbackup.ssh".path
|
||||
config.clanCore.facts.services.borgbackup.secret."borgbackup.ssh".path
|
||||
} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
|
||||
description = "the rsh to use for the backup";
|
||||
};
|
||||
@ -63,7 +63,7 @@ in
|
||||
|
||||
encryption = {
|
||||
mode = "repokey";
|
||||
passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}";
|
||||
passCommand = "cat ${config.clanCore.facts.services.borgbackup.secret."borgbackup.repokey".path}";
|
||||
};
|
||||
|
||||
prune.keep = {
|
||||
@ -74,10 +74,10 @@ in
|
||||
};
|
||||
}) cfg.destinations;
|
||||
|
||||
clanCore.secrets.borgbackup = {
|
||||
facts."borgbackup.ssh.pub" = { };
|
||||
secrets."borgbackup.ssh" = { };
|
||||
secrets."borgbackup.repokey" = { };
|
||||
clanCore.facts.services.borgbackup = {
|
||||
public."borgbackup.ssh.pub" = { };
|
||||
secret."borgbackup.ssh" = { };
|
||||
secret."borgbackup.repokey" = { };
|
||||
generator.path = [
|
||||
pkgs.openssh
|
||||
pkgs.coreutils
|
||||
|
||||
@ -54,14 +54,14 @@ in
|
||||
systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [
|
||||
"+${pkgs.writeScript "copy_registration_shared_secret" ''
|
||||
#!/bin/sh
|
||||
cp ${config.clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||
cp ${config.clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||
chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||
chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml
|
||||
''}"
|
||||
];
|
||||
|
||||
clanCore.secrets."matrix-synapse" = {
|
||||
secrets."synapse-registration_shared_secret" = { };
|
||||
clanCore.facts.services."matrix-synapse" = {
|
||||
secret."synapse-registration_shared_secret" = { };
|
||||
generator.path = with pkgs; [
|
||||
coreutils
|
||||
pwgen
|
||||
|
||||
@ -13,10 +13,10 @@ in
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/var/lib/moonlight' 0770 'user' 'users' - -"
|
||||
"C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
|
||||
config.clanCore.secrets.moonlight.secrets."moonlight.cert".path or ""
|
||||
config.clanCore.facts.services.moonlight.secret."moonlight.cert".path or ""
|
||||
}"
|
||||
"C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
|
||||
config.clanCore.secrets.moonlight.secrets."moonlight.key".path or ""
|
||||
config.clanCore.facts.services.moonlight.secret."moonlight.key".path or ""
|
||||
}"
|
||||
];
|
||||
|
||||
@ -45,7 +45,7 @@ in
|
||||
systemd.user.services.moonlight-join = {
|
||||
description = "Join sunshine hosts";
|
||||
script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
|
||||
config.clanCore.secrets.moonlight.facts."moonlight.cert".value or ""
|
||||
config.clanCore.facts.services.moonlight.public."moonlight.cert".value or ""
|
||||
}' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
@ -68,7 +68,7 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
clanCore.secrets.moonlight = {
|
||||
clanCore.facts.services.moonlight = {
|
||||
secrets."moonlight.key" = { };
|
||||
secrets."moonlight.cert" = { };
|
||||
facts."moonlight.cert" = { };
|
||||
|
||||
@ -4,14 +4,14 @@
|
||||
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
path = config.clanCore.secrets.openssh.secrets."ssh.id_ed25519".path;
|
||||
path = config.clanCore.facts.services.openssh.secret."ssh.id_ed25519".path;
|
||||
type = "ed25519";
|
||||
}
|
||||
];
|
||||
|
||||
clanCore.secrets.openssh = {
|
||||
secrets."ssh.id_ed25519" = { };
|
||||
facts."ssh.id_ed25519.pub" = { };
|
||||
clanCore.facts.services.openssh = {
|
||||
secret."ssh.id_ed25519" = { };
|
||||
public."ssh.id_ed25519.pub" = { };
|
||||
generator.path = [
|
||||
pkgs.coreutils
|
||||
pkgs.openssh
|
||||
|
||||
@ -97,10 +97,10 @@ in
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/var/lib/sunshine' 0770 'user' 'users' - -"
|
||||
"C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
|
||||
config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or ""
|
||||
config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or ""
|
||||
}"
|
||||
"C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
|
||||
config.clanCore.secrets.sunshine.secrets."sunshine.key".path or ""
|
||||
config.clanCore.facts.services.sunshine.secret."sunshine.key".path or ""
|
||||
}"
|
||||
];
|
||||
|
||||
@ -117,8 +117,8 @@ in
|
||||
RestartSec = "5s";
|
||||
ReadWritePaths = [ "/var/lib/sunshine" ];
|
||||
ReadOnlyPaths = [
|
||||
(config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "")
|
||||
(config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "")
|
||||
(config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "")
|
||||
(config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "")
|
||||
];
|
||||
};
|
||||
wantedBy = [ "graphical-session.target" ];
|
||||
@ -137,7 +137,7 @@ in
|
||||
startLimitIntervalSec = 500;
|
||||
script = ''
|
||||
${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${
|
||||
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null
|
||||
config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
|
||||
} --state-file /var/lib/sunshine/state.json
|
||||
'';
|
||||
serviceConfig = {
|
||||
@ -173,9 +173,9 @@ in
|
||||
startLimitIntervalSec = 500;
|
||||
script = ''
|
||||
${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${
|
||||
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null
|
||||
config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
|
||||
} --state /var/lib/sunshine/state.json --cert '${
|
||||
config.clanCore.secrets.sunshine.facts."sunshine.cert".value or null
|
||||
config.clanCore.facts.services.sunshine.public."sunshine.cert".value or null
|
||||
}'
|
||||
'';
|
||||
serviceConfig = {
|
||||
@ -187,11 +187,11 @@ in
|
||||
wantedBy = [ "graphical-session.target" ];
|
||||
};
|
||||
|
||||
clanCore.secrets.sunshine = {
|
||||
secrets."sunshine.key" = { };
|
||||
secrets."sunshine.cert" = { };
|
||||
facts."sunshine-uuid" = { };
|
||||
facts."sunshine.cert" = { };
|
||||
clanCore.facts.services.sunshine = {
|
||||
secret."sunshine.key" = { };
|
||||
secret."sunshine.cert" = { };
|
||||
public."sunshine-uuid" = { };
|
||||
public."sunshine.cert" = { };
|
||||
generator.path = [
|
||||
pkgs.coreutils
|
||||
ms-accept
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
id = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
|
||||
default = config.clanCore.secrets.syncthing.facts."syncthing.pub".value or null;
|
||||
default = config.clanCore.facts.services.syncthing.public."syncthing.pub".value or null;
|
||||
};
|
||||
introducer = lib.mkOption {
|
||||
description = ''
|
||||
@ -112,7 +112,7 @@
|
||||
getPendingDevices = "/rest/cluster/pending/devices";
|
||||
postNewDevice = "/rest/config/devices";
|
||||
SharedFolderById = "/rest/config/folders/";
|
||||
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null;
|
||||
apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
|
||||
in
|
||||
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
||||
description = "Syncthing auto accept devices";
|
||||
@ -154,7 +154,7 @@
|
||||
|
||||
systemd.services.syncthing-init-api-key =
|
||||
let
|
||||
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null;
|
||||
apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
|
||||
in
|
||||
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
||||
description = "Set the api key";
|
||||
@ -176,11 +176,11 @@
|
||||
};
|
||||
};
|
||||
|
||||
clanCore.secrets.syncthing = {
|
||||
secrets."syncthing.key" = { };
|
||||
secrets."syncthing.cert" = { };
|
||||
secrets."syncthing.api" = { };
|
||||
facts."syncthing.pub" = { };
|
||||
clanCore.facts.services.syncthing = {
|
||||
secret."syncthing.key" = { };
|
||||
secret."syncthing.cert" = { };
|
||||
secret."syncthing.api" = { };
|
||||
public."syncthing.pub" = { };
|
||||
generator.path = [
|
||||
pkgs.coreutils
|
||||
pkgs.gnugrep
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
}:
|
||||
let
|
||||
cfg = config.clan.networking.zerotier;
|
||||
facts = config.clanCore.secrets.zerotier.facts or { };
|
||||
facts = config.clanCore.facts.services.zerotier.public or { };
|
||||
genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } ''
|
||||
install -Dm755 ${./genmoon.py} $out/bin/genmoon
|
||||
patchShebangs $out/bin/genmoon
|
||||
@ -112,7 +112,7 @@ in
|
||||
|
||||
systemd.services.zerotierone.serviceConfig.ExecStartPre = [
|
||||
"+${pkgs.writeShellScript "init-zerotier" ''
|
||||
cp ${config.clanCore.secrets.zerotier.secrets.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
|
||||
cp ${config.clanCore.facts.services.zerotier.secret.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
|
||||
zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public
|
||||
|
||||
${lib.optionalString (cfg.controller.enable) ''
|
||||
@ -180,10 +180,10 @@ in
|
||||
(lib.mkIf cfg.controller.enable {
|
||||
# only the controller needs to have the key in the repo, the other clients can be dynamic
|
||||
# we generate the zerotier code manually for the controller, since it's part of the bootstrap command
|
||||
clanCore.secrets.zerotier = {
|
||||
facts.zerotier-ip = { };
|
||||
facts.zerotier-network-id = { };
|
||||
secrets.zerotier-identity-secret = { };
|
||||
clanCore.facts.services.zerotier = {
|
||||
public.zerotier-ip = { };
|
||||
public.zerotier-network-id = { };
|
||||
secret.zerotier-identity-secret = { };
|
||||
generator.path = [
|
||||
config.services.zerotierone.package
|
||||
pkgs.fakeroot
|
||||
@ -201,9 +201,9 @@ in
|
||||
environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ];
|
||||
})
|
||||
(lib.mkIf (!cfg.controller.enable && cfg.networkId != null) {
|
||||
clanCore.secrets.zerotier = {
|
||||
facts.zerotier-ip = { };
|
||||
secrets.zerotier-identity-secret = { };
|
||||
clanCore.facts.services.zerotier = {
|
||||
public.zerotier-ip = { };
|
||||
secret.zerotier-identity-secret = { };
|
||||
generator.path = [
|
||||
config.services.zerotierone.package
|
||||
pkgs.python3
|
||||
|
||||
Loading…
Reference in New Issue
Block a user