clan/clan-core
11
2
Fork 13
Code Issues 91 Pull Requests 5 Actions Packages Projects 1 Releases Wiki Activity

migrate secrets to new api
All checks were successful
checks / check-links (pull_request) Successful in 14s
Details
checks / checks-impure (pull_request) Successful in 1m48s
Details
checks / checks (pull_request) Successful in 3m35s
Details

Browse Source
This commit is contained in:
Jörg Thalheim 2024-03-28 10:30:37 +01:00
parent a8d35d37e7
commit 65d116ec28
9 changed files with 48 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
checks/matrix-synapse/default.nix
View File

@ -19,7 +19,7 @@
} }
{ {
# secret override # secret override
clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}"; clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path = "${./synapse-registration_shared_secret}";
services.nginx.virtualHosts."matrix.clan.test" = { services.nginx.virtualHosts."matrix.clan.test" = {
enableACME = lib.mkForce false; enableACME = lib.mkForce false;
forceSSL = lib.mkForce false; forceSSL = lib.mkForce false;

2
checks/syncthing/default.nix
View File

@ -19,7 +19,7 @@
"syncthing.key".source = ./introducer/introducer_test_key; "syncthing.key".source = ./introducer/introducer_test_key;
"syncthing.api".source = ./introducer/introducer_test_api; "syncthing.api".source = ./introducer/introducer_test_api;
}; };
clanCore.secrets.syncthing.secrets."syncthing.api".path = "/etc/syncthing.api"; clanCore.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
services.syncthing.cert = "/etc/syncthing.pam"; services.syncthing.cert = "/etc/syncthing.pam";
services.syncthing.key = "/etc/syncthing.key"; services.syncthing.key = "/etc/syncthing.key";
# Doesn't test zerotier! # Doesn't test zerotier!

12
clanModules/borgbackup.nix
View File

@ -26,7 +26,7 @@ in
rsh = lib.mkOption { rsh = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "ssh -i ${ default = "ssh -i ${
config.clanCore.secrets.borgbackup.secrets."borgbackup.ssh".path config.clanCore.facts.services.borgbackup.secret."borgbackup.ssh".path
} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; } -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
description = "the rsh to use for the backup"; description = "the rsh to use for the backup";
}; };
@ -63,7 +63,7 @@ in
encryption = { encryption = {
mode = "repokey"; mode = "repokey";
passCommand = "cat ${config.clanCore.secrets.borgbackup.secrets."borgbackup.repokey".path}"; passCommand = "cat ${config.clanCore.facts.services.borgbackup.secret."borgbackup.repokey".path}";
}; };
prune.keep = { prune.keep = {
@ -74,10 +74,10 @@ in
}; };
}) cfg.destinations; }) cfg.destinations;
clanCore.secrets.borgbackup = { clanCore.facts.services.borgbackup = {
facts."borgbackup.ssh.pub" = { }; public."borgbackup.ssh.pub" = { };
secrets."borgbackup.ssh" = { }; secret."borgbackup.ssh" = { };
secrets."borgbackup.repokey" = { }; secret."borgbackup.repokey" = { };
generator.path = [ generator.path = [
pkgs.openssh pkgs.openssh
pkgs.coreutils pkgs.coreutils

6
clanModules/matrix-synapse.nix
View File

@ -54,14 +54,14 @@ in
systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [ systemd.services.matrix-synapse.serviceConfig.ExecStartPre = [
"+${pkgs.writeScript "copy_registration_shared_secret" '' "+${pkgs.writeScript "copy_registration_shared_secret" ''
#!/bin/sh #!/bin/sh
cp ${config.clanCore.secrets.matrix-synapse.secrets.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml cp ${config.clanCore.facts.services.matrix-synapse.secret.synapse-registration_shared_secret.path} /var/lib/matrix-synapse/registration_shared_secret.yaml
chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/registration_shared_secret.yaml
chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml chmod 600 /var/lib/matrix-synapse/registration_shared_secret.yaml
''}" ''}"
]; ];
clanCore.secrets."matrix-synapse" = { clanCore.facts.services."matrix-synapse" = {
secrets."synapse-registration_shared_secret" = { }; secret."synapse-registration_shared_secret" = { };
generator.path = with pkgs; [ generator.path = with pkgs; [
coreutils coreutils
pwgen pwgen

8
clanModules/moonlight.nix
View File

@ -13,10 +13,10 @@ in
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/var/lib/moonlight' 0770 'user' 'users' - -" "d '/var/lib/moonlight' 0770 'user' 'users' - -"
"C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${ "C '/var/lib/moonlight/moonlight.cert' 0644 'user' 'users' - ${
config.clanCore.secrets.moonlight.secrets."moonlight.cert".path or "" config.clanCore.facts.services.moonlight.secret."moonlight.cert".path or ""
}" }"
"C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${ "C '/var/lib/moonlight/moonlight.key' 0644 'user' 'users' - ${
config.clanCore.secrets.moonlight.secrets."moonlight.key".path or "" config.clanCore.facts.services.moonlight.secret."moonlight.key".path or ""
}" }"
]; ];
@ -45,7 +45,7 @@ in
systemd.user.services.moonlight-join = { systemd.user.services.moonlight-join = {
description = "Join sunshine hosts"; description = "Join sunshine hosts";
script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${ script = ''${ms-accept}/bin/moonlight-sunshine-accept moonlight join --port ${builtins.toString defaultPort} --cert '${
config.clanCore.secrets.moonlight.facts."moonlight.cert".value or "" config.clanCore.facts.services.moonlight.public."moonlight.cert".value or ""
}' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1''; }' --host fd2e:25da:6035:c98f:cd99:93e0:b9b8:9ca1'';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -68,7 +68,7 @@ in
}; };
}; };
clanCore.secrets.moonlight = { clanCore.facts.services.moonlight = {
secrets."moonlight.key" = { }; secrets."moonlight.key" = { };
secrets."moonlight.cert" = { }; secrets."moonlight.cert" = { };
facts."moonlight.cert" = { }; facts."moonlight.cert" = { };

8
clanModules/sshd.nix
View File

@ -4,14 +4,14 @@
services.openssh.hostKeys = [ services.openssh.hostKeys = [
{ {
path = config.clanCore.secrets.openssh.secrets."ssh.id_ed25519".path; path = config.clanCore.facts.services.openssh.secret."ssh.id_ed25519".path;
type = "ed25519"; type = "ed25519";
} }
]; ];
clanCore.secrets.openssh = { clanCore.facts.services.openssh = {
secrets."ssh.id_ed25519" = { }; secret."ssh.id_ed25519" = { };
facts."ssh.id_ed25519.pub" = { }; public."ssh.id_ed25519.pub" = { };
generator.path = [ generator.path = [
pkgs.coreutils pkgs.coreutils
pkgs.openssh pkgs.openssh

24
clanModules/sunshine.nix
View File

@ -97,10 +97,10 @@ in
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/var/lib/sunshine' 0770 'user' 'users' - -" "d '/var/lib/sunshine' 0770 'user' 'users' - -"
"C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${ "C '/var/lib/sunshine/sunshine.cert' 0644 'user' 'users' - ${
config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "" config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or ""
}" }"
"C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${ "C '/var/lib/sunshine/sunshine.key' 0644 'user' 'users' - ${
config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "" config.clanCore.facts.services.sunshine.secret."sunshine.key".path or ""
}" }"
]; ];
@ -117,8 +117,8 @@ in
RestartSec = "5s"; RestartSec = "5s";
ReadWritePaths = [ "/var/lib/sunshine" ]; ReadWritePaths = [ "/var/lib/sunshine" ];
ReadOnlyPaths = [ ReadOnlyPaths = [
(config.clanCore.secrets.sunshine.secrets."sunshine.key".path or "") (config.clanCore.facts.services.sunshine.secret."sunshine.key".path or "")
(config.clanCore.secrets.sunshine.secrets."sunshine.cert".path or "") (config.clanCore.facts.services.sunshine.secret."sunshine.cert".path or "")
]; ];
}; };
wantedBy = [ "graphical-session.target" ]; wantedBy = [ "graphical-session.target" ];
@ -137,7 +137,7 @@ in
startLimitIntervalSec = 500; startLimitIntervalSec = 500;
script = '' script = ''
${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${ ${ms-accept}/bin/moonlight-sunshine-accept sunshine init-state --uuid ${
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
} --state-file /var/lib/sunshine/state.json } --state-file /var/lib/sunshine/state.json
''; '';
serviceConfig = { serviceConfig = {
@ -173,9 +173,9 @@ in
startLimitIntervalSec = 500; startLimitIntervalSec = 500;
script = '' script = ''
${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${ ${ms-accept}/bin/moonlight-sunshine-accept sunshine listen --port ${builtins.toString listenPort} --uuid ${
config.clanCore.secrets.sunshine.facts.sunshine-uuid.value or null config.clanCore.facts.services.sunshine.public.sunshine-uuid.value or null
} --state /var/lib/sunshine/state.json --cert '${ } --state /var/lib/sunshine/state.json --cert '${
config.clanCore.secrets.sunshine.facts."sunshine.cert".value or null config.clanCore.facts.services.sunshine.public."sunshine.cert".value or null
}' }'
''; '';
serviceConfig = { serviceConfig = {
@ -187,11 +187,11 @@ in
wantedBy = [ "graphical-session.target" ]; wantedBy = [ "graphical-session.target" ];
}; };
clanCore.secrets.sunshine = { clanCore.facts.services.sunshine = {
secrets."sunshine.key" = { }; secret."sunshine.key" = { };
secrets."sunshine.cert" = { }; secret."sunshine.cert" = { };
facts."sunshine-uuid" = { }; public."sunshine-uuid" = { };
facts."sunshine.cert" = { }; public."sunshine.cert" = { };
generator.path = [ generator.path = [
pkgs.coreutils pkgs.coreutils
ms-accept ms-accept

16
clanModules/syncthing.nix
View File

@ -9,7 +9,7 @@
id = lib.mkOption { id = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS"; example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
default = config.clanCore.secrets.syncthing.facts."syncthing.pub".value or null; default = config.clanCore.facts.services.syncthing.public."syncthing.pub".value or null;
}; };
introducer = lib.mkOption { introducer = lib.mkOption {
description = '' description = ''
@ -112,7 +112,7 @@
getPendingDevices = "/rest/cluster/pending/devices"; getPendingDevices = "/rest/cluster/pending/devices";
postNewDevice = "/rest/config/devices"; postNewDevice = "/rest/config/devices";
SharedFolderById = "/rest/config/folders/"; SharedFolderById = "/rest/config/folders/";
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null; apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
in in
lib.mkIf config.clan.syncthing.autoAcceptDevices { lib.mkIf config.clan.syncthing.autoAcceptDevices {
description = "Syncthing auto accept devices"; description = "Syncthing auto accept devices";
@ -154,7 +154,7 @@
systemd.services.syncthing-init-api-key = systemd.services.syncthing-init-api-key =
let let
apiKey = config.clanCore.secrets.syncthing.secrets."syncthing.api".path or null; apiKey = config.clanCore.facts.services.syncthing.secret."syncthing.api".path or null;
in in
lib.mkIf config.clan.syncthing.autoAcceptDevices { lib.mkIf config.clan.syncthing.autoAcceptDevices {
description = "Set the api key"; description = "Set the api key";
@ -176,11 +176,11 @@
}; };
}; };
clanCore.secrets.syncthing = { clanCore.facts.services.syncthing = {
secrets."syncthing.key" = { }; secret."syncthing.key" = { };
secrets."syncthing.cert" = { }; secret."syncthing.cert" = { };
secrets."syncthing.api" = { }; secret."syncthing.api" = { };
facts."syncthing.pub" = { }; public."syncthing.pub" = { };
generator.path = [ generator.path = [
pkgs.coreutils pkgs.coreutils
pkgs.gnugrep pkgs.gnugrep

18
nixosModules/clanCore/zerotier/default.nix
View File

@ -6,7 +6,7 @@
}: }:
let let
cfg = config.clan.networking.zerotier; cfg = config.clan.networking.zerotier;
facts = config.clanCore.secrets.zerotier.facts or { }; facts = config.clanCore.facts.services.zerotier.public or { };
genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } '' genMoonScript = pkgs.runCommand "genmoon" { nativeBuildInputs = [ pkgs.python3 ]; } ''
install -Dm755 ${./genmoon.py} $out/bin/genmoon install -Dm755 ${./genmoon.py} $out/bin/genmoon
patchShebangs $out/bin/genmoon patchShebangs $out/bin/genmoon
@ -112,7 +112,7 @@ in
systemd.services.zerotierone.serviceConfig.ExecStartPre = [ systemd.services.zerotierone.serviceConfig.ExecStartPre = [
"+${pkgs.writeShellScript "init-zerotier" '' "+${pkgs.writeShellScript "init-zerotier" ''
cp ${config.clanCore.secrets.zerotier.secrets.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret cp ${config.clanCore.facts.services.zerotier.secret.zerotier-identity-secret.path} /var/lib/zerotier-one/identity.secret
zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public zerotier-idtool getpublic /var/lib/zerotier-one/identity.secret > /var/lib/zerotier-one/identity.public
${lib.optionalString (cfg.controller.enable) '' ${lib.optionalString (cfg.controller.enable) ''
@ -180,10 +180,10 @@ in
(lib.mkIf cfg.controller.enable { (lib.mkIf cfg.controller.enable {
# only the controller needs to have the key in the repo, the other clients can be dynamic # only the controller needs to have the key in the repo, the other clients can be dynamic
# we generate the zerotier code manually for the controller, since it's part of the bootstrap command # we generate the zerotier code manually for the controller, since it's part of the bootstrap command
clanCore.secrets.zerotier = { clanCore.facts.services.zerotier = {
facts.zerotier-ip = { }; public.zerotier-ip = { };
facts.zerotier-network-id = { }; public.zerotier-network-id = { };
secrets.zerotier-identity-secret = { }; secret.zerotier-identity-secret = { };
generator.path = [ generator.path = [
config.services.zerotierone.package config.services.zerotierone.package
pkgs.fakeroot pkgs.fakeroot
@ -201,9 +201,9 @@ in
environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ]; environment.systemPackages = [ config.clanCore.clanPkgs.zerotier-members ];
}) })
(lib.mkIf (!cfg.controller.enable && cfg.networkId != null) { (lib.mkIf (!cfg.controller.enable && cfg.networkId != null) {
clanCore.secrets.zerotier = { clanCore.facts.services.zerotier = {
facts.zerotier-ip = { }; public.zerotier-ip = { };
secrets.zerotier-identity-secret = { }; secret.zerotier-identity-secret = { };
generator.path = [ generator.path = [
config.services.zerotierone.package config.services.zerotierone.package
pkgs.python3 pkgs.python3