foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-18 00:19:12 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

config: convert to lib.getSecrets

Browse Source
This commit is contained in:
Gabriel Arazas 2023-07-05 11:38:58 +08:00
parent dc8d6e8d55
commit fdd723ca33
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
10 changed files with 57 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
hosts/ni/default.nix
View File

@ -64,38 +64,12 @@ in
};
};
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = ./secrets/secrets.yaml;
};
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"ni/${secret}"
((getKey secret) // config))
secrets;
in
getSecrets {
ssh-key = { };
"wireguard/private-key" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/plover" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/phone" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
};
sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
"ni/ssh-key" = { };
"ni/wireguard/private-key" = { };
"ni/wireguard/preshared-keys/plover" = { };
"ni/wireguard/preshared-keys/phone" = { };
};
sops.age.keyFile = "/var/lib/sops-nix/key.txt";

44
hosts/plover/default.nix
View File

@ -74,43 +74,15 @@ in
'';
};
# TODO: Put the secrets to the respective service module.
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = ./secrets/secrets.yaml;
};
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"plover/${secret}"
((getKey secret) // config))
secrets;
sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
"plover/ssh-key" = { };
"plover/lego/env" = { };
giteaUser = config.users.users."${config.services.gitea.user}".name;
portunusUser = config.users.users."${config.services.portunus.user}".name;
# It is hardcoded but as long as the module is stable that way.
vaultwardenUser = config.users.groups.vaultwarden.name;
postgresUser = config.users.groups.postgres.name;
in
getSecrets {
"ssh-key" = { };
"lego/env" = { };
"gitea/db/password".owner = giteaUser;
"gitea/smtp/password".owner = giteaUser;
"vaultwarden/env".owner = vaultwardenUser;
"borg/repos/host/patterns/keys" = { };
"borg/repos/host/password" = { };
"borg/repos/services/password" = { };
"borg/ssh-key" = { };
"keycloak/db/password".owner = postgresUser;
"ldap/users/foodogsquared/password".owner = portunusUser;
};
"plover/borg/repos/host/patterns/keys" = { };
"plover/borg/repos/host/password" = { };
"plover/borg/repos/services/password" = { };
"plover/borg/ssh-key" = { };
};
# All of the keys required to deploy the secrets.
sops.age.keyFile = "/var/lib/sops-nix/key.txt";

19
hosts/plover/modules/services/bind.nix
View File

@ -53,27 +53,16 @@ in
{
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = ../../secrets/secrets.yaml;
};
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"plover/${secret}"
((getKey secret) // config))
secrets;
dnsFileAttribute = {
owner = config.users.users.named.name;
group = config.users.users.named.group;
mode = "0400";
};
in
getSecrets {
"dns/${domain}/mailbox-security-key" = dnsFileAttribute;
"dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
"dns/${domain}/rfc2136-key" = dnsFileAttribute // {
lib.getSecrets ../../secrets/secrets.yaml {
"plover/dns/${domain}/mailbox-security-key" = dnsFileAttribute;
"plover/dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
"plover/dns/${domain}/rfc2136-key" = dnsFileAttribute // {
reloadUnits = [ "bind.service" ];
};
};

6
hosts/plover/modules/services/gitea.nix
View File

@ -7,9 +7,15 @@
let
codeForgeDomain = "code.${config.networking.domain}";
giteaUser = config.users.users."${config.services.gitea.user}".name;
giteaDatabaseUser = config.services.gitea.user;
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/gitea/db/password".owner = giteaUser;
"plover/gitea/smtp/password".owner = giteaUser;
};
services.gitea = {
enable = true;
appName = "foodogsquared's code forge";

7
hosts/plover/modules/services/keycloak.nix
View File

@ -11,10 +11,17 @@ let
keycloakUser = config.services.keycloak.database.username;
keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;
# This is for access to PostgreSQL database.
postgresUser = config.users.groups.postgres.name;
certs = config.security.acme.certs;
host = "localhost";
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/keycloak/db/password".owner = postgresUser;
};
# Hey, the hub for your application sign-in.
services.keycloak = {
enable = true;

5
hosts/plover/modules/services/portunus.nix
View File

@ -5,8 +5,13 @@
let
ldapDomain = "ldap.${config.networking.fqdn}";
portunusUser = config.users.users."${config.services.portunus.user}".name;
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/ldap/users/foodogsquared/password".owner = portunusUser;
};
services.portunus = {
enable = true;

4
hosts/plover/modules/services/vaultwarden.nix
View File

@ -12,6 +12,10 @@ let
vaultwardenDbName = "vaultwarden";
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/vaultwarden/env".owner = vaultwardenUser;
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";

21
hosts/plover/modules/services/wireguard.nix
View File

@ -18,29 +18,16 @@ in
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = ../../secrets/secrets.yaml;
};
getSecrets = secrets:
(lib.mapAttrs'
(name: config:
lib.nameValuePair
"plover/${name}"
((getKey name) // config))
secrets);
systemdNetworkdPermission = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
in
getSecrets {
"wireguard/private-key" = systemdNetworkdPermission;
"wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"wireguard/preshared-keys/phone" = systemdNetworkdPermission;
lib.getSecrets ../../secrets/secrets.yaml {
"plover/wireguard/private-key" = systemdNetworkdPermission;
"plover/wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"plover/wireguard/preshared-keys/phone" = systemdNetworkdPermission;
};
networking.firewall = {

34
modules/nixos/tasks/backup-archive/default.nix
View File

@ -44,30 +44,16 @@ in
lib.mkEnableOption "backup setup with BorgBackup";
config = lib.mkIf cfg.enable {
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = lib.getSecret "backup-archive.yaml";
};
getSecrets = secrets:
lib.mapAttrs'
(key: config:
lib.nameValuePair
"borg-backup/${key}"
((getKey key) // config))
secrets;
in
getSecrets {
"patterns/home" = { };
"patterns/etc" = { };
"patterns/keys" = { };
"patterns/remote-backup" = { };
"repos/archive/password" = { };
"repos/external-drive/password" = { };
"repos/hetzner-box/password" = { };
"ssh-key" = { };
};
sops.secrets = lib.getSecrets (lib.getSecret "backup-archive.yaml") {
"borg-backup/patterns/home" = { };
"borg-backup/patterns/etc" = { };
"borg-backup/patterns/keys" = { };
"borg-backup/patterns/remote-backup" = { };
"borg-backup/repos/archive/password" = { };
"borg-backup/repos/external-drive/password" = { };
"borg-backup/repos/hetzner-box/password" = { };
"borg-backup/ssh-key" = { };
};
profiles.filesystem = {
archive.enable = true;

13
modules/nixos/tasks/multimedia-archive/default.nix
View File

@ -93,16 +93,9 @@ in
{
environment.systemPackages = [ ytdlpArchiveVariant ];
sops.secrets =
let
getKey = key: {
inherit key;
sopsFile = lib.getSecret "multimedia-archive.yaml";
};
in
{
"multimedia-archive/secrets-config" = getKey "secrets-config";
};
sops.secrets = lib.getSecrets (lib.getSecret "multimedia-archive.yaml") {
"multimedia-archive/secrets-config" = { };
};
profiles.filesystem.archive.enable = true;