From 65d116ec28c8cbb0b1f012c91701d31abde3aa61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 28 Mar 2024 10:30:37 +0100 Subject: [PATCH] migrate secrets to new api --- checks/matrix-synapse/default.nix | 2 +- checks/syncthing/default.nix | 2 +- clanModules/borgbackup.nix | 12 +++++------ clanModules/matrix-synapse.nix | 6 +++--- clanModules/moonlight.nix | 8 ++++---- clanModules/sshd.nix | 8 ++++---- clanModules/sunshine.nix | 24 +++++++++++----------- clanModules/syncthing.nix | 16 +++++++-------- nixosModules/clanCore/zerotier/default.nix | 18 ++++++++-------- 9 files changed, 48 insertions(+), 48 deletions(-) diff --git a/checks/matrix-synapse/default.nix b/checks/matrix-synapse/default.nix index ec43209c..cb3c9482 100644 --- a/checks/matrix-synapse/default.nix +++ b/checks/matrix-synapse/default.nix @@ -19,7 +19,7 @@ } { # secret override - clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}"; + clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}"; services.nginx.virtualHosts."matrix.clan.test" = { enableACME = lib.mkForce false; forceSSL = lib.mkForce false; diff --git a/checks/syncthing/default.nix b/checks/syncthing/default.nix index cd9550e0..8341c9e0 100644 --- a/checks/syncthing/default.nix +++ b/checks/syncthing/default.nix @@ -19,7 +19,7 @@ "syncthing.key".source = ./introducer/introducer_test_key; "syncthing.api".source = ./introducer/introducer_test_api; }; - clanCore.secrets.syncthing.secrets."syncthing.api".path = "/etc/syncthing.api"; + clanCore.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api"; services.syncthing.cert = "/etc/syncthing.pam"; services.syncthing.key = "/etc/syncthing.key"; # Doesn't test zerotier! diff --git a/clanModules/borgbackup.nix b/clanModules/borgbackup.nix index dff05912..03d6e1c0 100644 --- a/clanModules/borgbackup.nix +++ b/clanModules/borgbackup.nix @@ -26,7 +26,7 @@ in rsh = lib.mkOption { type = lib.types.str; default = "ssh -i ${ - config.clanCore.secrets.borgbackup.secrets."borgbackup.ssh".path + config.clanCore.facts.services.borgbackup.secret."borgbackup.ssh".path } -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; description = "the rsh to use for the backup"; }; @@ -63,7 +63,7 @@ in encryption = { mode = "repokey"; - passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}"; + passCommand = "cat ${config.clanCore.facts.services.borgbackup.secret."borgbackup.repokey".path}"; }; prune.keep = { @@ -74,10 +74,10 @@ in }; }) cfg.destinations; - clanCore.secrets.borgbackup = { - facts."borgbackup.ssh.pub" = { }; - secrets."borgbackup.ssh" = { }; - secrets."borgbackup.repokey" = { }; + clanCore.facts.services.borgbackup = { + public."borgbackup.ssh.pub" = { }; + secret."borgbackup.ssh" = { }; + secret."borgbackup.repokey" = { }; generator.path = [ pkgs.openssh pkgs.coreutils diff --git a/clanModules/matrix-synapse.nix b/clanModules/matrix-synapse.nix index 161908be..f3611bb9 100644 --- a/clanModules/matrix-synapse.nix +++ b/clanModules/matrix-synapse.nix @@ -54,14 +54,14 @@ in systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [ "+${pkgs.writeScript "copy_registration_shared_secret" '' #!/bin/sh - cp ${config.clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml + cp ${config.clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml ''}" ]; - clanCore.secrets."matrix-synapse" = { - secrets."synapse-registration_shared_secret" = { }; + clanCore.facts.services."matrix-synapse" = { + secret."synapse-registration_shared_secret" = { }; generator.path = with pkgs; [ coreutils pwgen diff --git a/clanModules/moonlight.nix b/clanModules/moonlight.nix index 0b287ca0..35d74348 100644 --- a/clanModules/moonlight.nix +++ b/clanModules/moonlight.nix @@ -13,10 +13,10 @@ in systemd.tmpfiles.rules = [ "d '/var/lib/moonlight' 0770 'user' 'users' - -" "C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${ - config.clanCore.secrets.moonlight.secrets."moonlight.cert".path or "" + config.clanCore.facts.services.moonlight.secret."moonlight.cert".path or "" }" "C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${ - config.clanCore.secrets.moonlight.secrets."moonlight.key".path or "" + config.clanCore.facts.services.moonlight.secret."moonlight.key".path or "" }" ]; @@ -45,7 +45,7 @@ in systemd.user.services.moonlight-join = { description = "Join sunshine hosts"; script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${ - config.clanCore.secrets.moonlight.facts."moonlight.cert".value or "" + config.clanCore.facts.services.moonlight.public."moonlight.cert".value or "" }' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1''; serviceConfig = { Type = "oneshot"; @@ -68,7 +68,7 @@ in }; }; - clanCore.secrets.moonlight = { + clanCore.facts.services.moonlight = { secrets."moonlight.key" = { }; secrets."moonlight.cert" = { }; facts."moonlight.cert" = { }; diff --git a/clanModules/sshd.nix b/clanModules/sshd.nix index df38078d..43211638 100644 --- a/clanModules/sshd.nix +++ b/clanModules/sshd.nix @@ -4,14 +4,14 @@ services.openssh.hostKeys = [ { - path = config.clanCore.secrets.openssh.secrets."ssh.id_ed25519".path; + path = config.clanCore.facts.services.openssh.secret."ssh.id_ed25519".path; type = "ed25519"; } ]; - clanCore.secrets.openssh = { - secrets."ssh.id_ed25519" = { }; - facts."ssh.id_ed25519.pub" = { }; + clanCore.facts.services.openssh = { + secret."ssh.id_ed25519" = { }; + public."ssh.id_ed25519.pub" = { }; generator.path = [ pkgs.coreutils pkgs.openssh diff --git a/clanModules/sunshine.nix b/clanModules/sunshine.nix index 7198cb0d..f85813ad 100644 --- a/clanModules/sunshine.nix +++ b/clanModules/sunshine.nix @@ -97,10 +97,10 @@ in systemd.tmpfiles.rules = [ "d '/var/lib/sunshine' 0770 'user' 'users' - -" "C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${ - config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "" + config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "" }" "C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${ - config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "" + config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "" }" ]; @@ -117,8 +117,8 @@ in RestartSec = "5s"; ReadWritePaths = [ "/var/lib/sunshine" ]; ReadOnlyPaths = [ - (config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "") - (config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "") + (config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "") + (config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "") ]; }; wantedBy = [ "graphical-session.target" ]; @@ -137,7 +137,7 @@ in startLimitIntervalSec = 500; script = '' ${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${ - config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null + config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null } --state-file /var/lib/sunshine/state.json ''; serviceConfig = { @@ -173,9 +173,9 @@ in startLimitIntervalSec = 500; script = '' ${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${ - config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null + config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null } --state /var/lib/sunshine/state.json --cert '${ - config.clanCore.secrets.sunshine.facts."sunshine.cert".value or null + config.clanCore.facts.services.sunshine.public."sunshine.cert".value or null }' ''; serviceConfig = { @@ -187,11 +187,11 @@ in wantedBy = [ "graphical-session.target" ]; }; - clanCore.secrets.sunshine = { - secrets."sunshine.key" = { }; - secrets."sunshine.cert" = { }; - facts."sunshine-uuid" = { }; - facts."sunshine.cert" = { }; + clanCore.facts.services.sunshine = { + secret."sunshine.key" = { }; + secret."sunshine.cert" = { }; + public."sunshine-uuid" = { }; + public."sunshine.cert" = { }; generator.path = [ pkgs.coreutils ms-accept diff --git a/clanModules/syncthing.nix b/clanModules/syncthing.nix index bf73dcf0..7dbadaab 100644 --- a/clanModules/syncthing.nix +++ b/clanModules/syncthing.nix @@ -9,7 +9,7 @@ id = lib.mkOption { type = lib.types.nullOr lib.types.str; example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS"; - default = config.clanCore.secrets.syncthing.facts."syncthing.pub".value or null; + default = config.clanCore.facts.services.syncthing.public."syncthing.pub".value or null; }; introducer = lib.mkOption { description = '' @@ -112,7 +112,7 @@ getPendingDevices = "/rest/cluster/pending/devices"; postNewDevice = "/rest/config/devices"; SharedFolderById = "/rest/config/folders/"; - apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null; + apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null; in lib.mkIf config.clan.syncthing.autoAcceptDevices { description = "Syncthing auto accept devices"; @@ -154,7 +154,7 @@ systemd.services.syncthing-init-api-key = let - apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null; + apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null; in lib.mkIf config.clan.syncthing.autoAcceptDevices { description = "Set the api key"; @@ -176,11 +176,11 @@ }; }; - clanCore.secrets.syncthing = { - secrets."syncthing.key" = { }; - secrets."syncthing.cert" = { }; - secrets."syncthing.api" = { }; - facts."syncthing.pub" = { }; + clanCore.facts.services.syncthing = { + secret."syncthing.key" = { }; + secret."syncthing.cert" = { }; + secret."syncthing.api" = { }; + public."syncthing.pub" = { }; generator.path = [ pkgs.coreutils pkgs.gnugrep diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix index 726d4c52..c89e7460 100644 --- a/nixosModules/clanCore/zerotier/default.nix +++ b/nixosModules/clanCore/zerotier/default.nix @@ -6,7 +6,7 @@ }: let cfg = config.clan.networking.zerotier; - facts = config.clanCore.secrets.zerotier.facts or { }; + facts = config.clanCore.facts.services.zerotier.public or { }; genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } '' install -Dm755 ${./genmoon.py} $out/bin/genmoon patchShebangs $out/bin/genmoon @@ -112,7 +112,7 @@ in systemd.services.zerotierone.serviceConfig.ExecStartPre = [ "+${pkgs.writeShellScript "init-zerotier" '' - cp ${config.clanCore.secrets.zerotier.secrets.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret + cp ${config.clanCore.facts.services.zerotier.secret.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public ${lib.optionalString (cfg.controller.enable) '' @@ -180,10 +180,10 @@ in (lib.mkIf cfg.controller.enable { # only the controller needs to have the key in the repo, the other clients can be dynamic # we generate the zerotier code manually for the controller, since it's part of the bootstrap command - clanCore.secrets.zerotier = { - facts.zerotier-ip = { }; - facts.zerotier-network-id = { }; - secrets.zerotier-identity-secret = { }; + clanCore.facts.services.zerotier = { + public.zerotier-ip = { }; + public.zerotier-network-id = { }; + secret.zerotier-identity-secret = { }; generator.path = [ config.services.zerotierone.package pkgs.fakeroot @@ -201,9 +201,9 @@ in environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ]; }) (lib.mkIf (!cfg.controller.enable && cfg.networkId != null) { - clanCore.secrets.zerotier = { - facts.zerotier-ip = { }; - secrets.zerotier-identity-secret = { }; + clanCore.facts.services.zerotier = { + public.zerotier-ip = { }; + secret.zerotier-identity-secret = { }; generator.path = [ config.services.zerotierone.package pkgs.python3