migrate secrets to new api
All checks were successful
checks / check-links (pull_request) Successful in 14s
checks / checks-impure (pull_request) Successful in 1m48s
checks / checks (pull_request) Successful in 3m35s

This commit is contained in:
Jörg Thalheim 2024-03-28 10:30:37 +01:00
parent a8d35d37e7
commit 65d116ec28
9 changed files with 48 additions and 48 deletions

View File

@ -19,7 +19,7 @@
}
{
# secret override
clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
services.nginx.virtualHosts."matrix.clan.test" = {
enableACME = lib.mkForce false;
forceSSL = lib.mkForce false;

View File

@ -19,7 +19,7 @@
"syncthing.key".source = ./introducer/introducer_test_key;
"syncthing.api".source = ./introducer/introducer_test_api;
};
clanCore.secrets.syncthing.secrets."syncthing.api".path = "/etc/syncthing.api";
clanCore.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
services.syncthing.cert = "/etc/syncthing.pam";
services.syncthing.key = "/etc/syncthing.key";
# Doesn't test zerotier!

View File

@ -26,7 +26,7 @@ in
rsh = lib.mkOption {
type = lib.types.str;
default = "ssh -i ${
config.clanCore.secrets.borgbackup.secrets."borgbackup.ssh".path
config.clanCore.facts.services.borgbackup.secret."borgbackup.ssh".path
} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
description = "the rsh to use for the backup";
};
@ -63,7 +63,7 @@ in
encryption = {
mode = "repokey";
passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}";
passCommand = "cat ${config.clanCore.facts.services.borgbackup.secret."borgbackup.repokey".path}";
};
prune.keep = {
@ -74,10 +74,10 @@ in
};
}) cfg.destinations;
clanCore.secrets.borgbackup = {
facts."borgbackup.ssh.pub" = { };
secrets."borgbackup.ssh" = { };
secrets."borgbackup.repokey" = { };
clanCore.facts.services.borgbackup = {
public."borgbackup.ssh.pub" = { };
secret."borgbackup.ssh" = { };
secret."borgbackup.repokey" = { };
generator.path = [
pkgs.openssh
pkgs.coreutils

View File

@ -54,14 +54,14 @@ in
systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [
"+${pkgs.writeScript "copy_registration_shared_secret" ''
#!/bin/sh
cp ${config.clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
cp ${config.clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml
chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml
''}"
];
clanCore.secrets."matrix-synapse" = {
secrets."synapse-registration_shared_secret" = { };
clanCore.facts.services."matrix-synapse" = {
secret."synapse-registration_shared_secret" = { };
generator.path = with pkgs; [
coreutils
pwgen

View File

@ -13,10 +13,10 @@ in
systemd.tmpfiles.rules = [
"d '/var/lib/moonlight' 0770 'user' 'users' - -"
"C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
config.clanCore.secrets.moonlight.secrets."moonlight.cert".path or ""
config.clanCore.facts.services.moonlight.secret."moonlight.cert".path or ""
}"
"C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
config.clanCore.secrets.moonlight.secrets."moonlight.key".path or ""
config.clanCore.facts.services.moonlight.secret."moonlight.key".path or ""
}"
];
@ -45,7 +45,7 @@ in
systemd.user.services.moonlight-join = {
description = "Join sunshine hosts";
script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
config.clanCore.secrets.moonlight.facts."moonlight.cert".value or ""
config.clanCore.facts.services.moonlight.public."moonlight.cert".value or ""
}' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
serviceConfig = {
Type = "oneshot";
@ -68,7 +68,7 @@ in
};
};
clanCore.secrets.moonlight = {
clanCore.facts.services.moonlight = {
secrets."moonlight.key" = { };
secrets."moonlight.cert" = { };
facts."moonlight.cert" = { };

View File

@ -4,14 +4,14 @@
services.openssh.hostKeys = [
{
path = config.clanCore.secrets.openssh.secrets."ssh.id_ed25519".path;
path = config.clanCore.facts.services.openssh.secret."ssh.id_ed25519".path;
type = "ed25519";
}
];
clanCore.secrets.openssh = {
secrets."ssh.id_ed25519" = { };
facts."ssh.id_ed25519.pub" = { };
clanCore.facts.services.openssh = {
secret."ssh.id_ed25519" = { };
public."ssh.id_ed25519.pub" = { };
generator.path = [
pkgs.coreutils
pkgs.openssh

View File

@ -97,10 +97,10 @@ in
systemd.tmpfiles.rules = [
"d '/var/lib/sunshine' 0770 'user' 'users' - -"
"C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or ""
config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or ""
}"
"C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
config.clanCore.secrets.sunshine.secrets."sunshine.key".path or ""
config.clanCore.facts.services.sunshine.secret."sunshine.key".path or ""
}"
];
@ -117,8 +117,8 @@ in
RestartSec = "5s";
ReadWritePaths = [ "/var/lib/sunshine" ];
ReadOnlyPaths = [
(config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "")
(config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "")
(config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "")
(config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "")
];
};
wantedBy = [ "graphical-session.target" ];
@ -137,7 +137,7 @@ in
startLimitIntervalSec = 500;
script = ''
${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null
config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
} --state-file /var/lib/sunshine/state.json
'';
serviceConfig = {
@ -173,9 +173,9 @@ in
startLimitIntervalSec = 500;
script = ''
${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null
config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
} --state /var/lib/sunshine/state.json --cert '${
config.clanCore.secrets.sunshine.facts."sunshine.cert".value or null
config.clanCore.facts.services.sunshine.public."sunshine.cert".value or null
}'
'';
serviceConfig = {
@ -187,11 +187,11 @@ in
wantedBy = [ "graphical-session.target" ];
};
clanCore.secrets.sunshine = {
secrets."sunshine.key" = { };
secrets."sunshine.cert" = { };
facts."sunshine-uuid" = { };
facts."sunshine.cert" = { };
clanCore.facts.services.sunshine = {
secret."sunshine.key" = { };
secret."sunshine.cert" = { };
public."sunshine-uuid" = { };
public."sunshine.cert" = { };
generator.path = [
pkgs.coreutils
ms-accept

View File

@ -9,7 +9,7 @@
id = lib.mkOption {
type = lib.types.nullOr lib.types.str;
example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
default = config.clanCore.secrets.syncthing.facts."syncthing.pub".value or null;
default = config.clanCore.facts.services.syncthing.public."syncthing.pub".value or null;
};
introducer = lib.mkOption {
description = ''
@ -112,7 +112,7 @@
getPendingDevices = "/rest/cluster/pending/devices";
postNewDevice = "/rest/config/devices";
SharedFolderById = "/rest/config/folders/";
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null;
apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
in
lib.mkIf config.clan.syncthing.autoAcceptDevices {
description = "Syncthing auto accept devices";
@ -154,7 +154,7 @@
systemd.services.syncthing-init-api-key =
let
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null;
apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
in
lib.mkIf config.clan.syncthing.autoAcceptDevices {
description = "Set the api key";
@ -176,11 +176,11 @@
};
};
clanCore.secrets.syncthing = {
secrets."syncthing.key" = { };
secrets."syncthing.cert" = { };
secrets."syncthing.api" = { };
facts."syncthing.pub" = { };
clanCore.facts.services.syncthing = {
secret."syncthing.key" = { };
secret."syncthing.cert" = { };
secret."syncthing.api" = { };
public."syncthing.pub" = { };
generator.path = [
pkgs.coreutils
pkgs.gnugrep

View File

@ -6,7 +6,7 @@
}:
let
cfg = config.clan.networking.zerotier;
facts = config.clanCore.secrets.zerotier.facts or { };
facts = config.clanCore.facts.services.zerotier.public or { };
genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } ''
install -Dm755 ${./genmoon.py} $out/bin/genmoon
patchShebangs $out/bin/genmoon
@ -112,7 +112,7 @@ in
systemd.services.zerotierone.serviceConfig.ExecStartPre = [
"+${pkgs.writeShellScript "init-zerotier" ''
cp ${config.clanCore.secrets.zerotier.secrets.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
cp ${config.clanCore.facts.services.zerotier.secret.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public
${lib.optionalString (cfg.controller.enable) ''
@ -180,10 +180,10 @@ in
(lib.mkIf cfg.controller.enable {
# only the controller needs to have the key in the repo, the other clients can be dynamic
# we generate the zerotier code manually for the controller, since it's part of the bootstrap command
clanCore.secrets.zerotier = {
facts.zerotier-ip = { };
facts.zerotier-network-id = { };
secrets.zerotier-identity-secret = { };
clanCore.facts.services.zerotier = {
public.zerotier-ip = { };
public.zerotier-network-id = { };
secret.zerotier-identity-secret = { };
generator.path = [
config.services.zerotierone.package
pkgs.fakeroot
@ -201,9 +201,9 @@ in
environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ];
})
(lib.mkIf (!cfg.controller.enable && cfg.networkId != null) {
clanCore.secrets.zerotier = {
facts.zerotier-ip = { };
secrets.zerotier-identity-secret = { };
clanCore.facts.services.zerotier = {
public.zerotier-ip = { };
secret.zerotier-identity-secret = { };
generator.path = [
config.services.zerotierone.package
pkgs.python3