foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-25 00:19:12 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

config: convert to lib.getSecrets

Browse Source
This commit is contained in:
Gabriel Arazas 2023-07-05 11:38:58 +08:00
parent dc8d6e8d55
commit fdd723ca33
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
10 changed files with 57 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
hosts/ni/default.nix
View File

@ -64,38 +64,12 @@ in
}; };
}; };
sops.secrets = sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
let "ni/ssh-key" = { };
getKey = key: { "ni/wireguard/private-key" = { };
inherit key; "ni/wireguard/preshared-keys/plover" = { };
sopsFile = ./secrets/secrets.yaml; "ni/wireguard/preshared-keys/phone" = { };
}; };
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"ni/${secret}"
((getKey secret) // config))
secrets;
in
getSecrets {
ssh-key = { };
"wireguard/private-key" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/plover" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/phone" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
};
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";

44
hosts/plover/default.nix
View File

@ -74,43 +74,15 @@ in
''; '';
}; };
# TODO: Put the secrets to the respective service module. sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
sops.secrets = "plover/ssh-key" = { };
let "plover/lego/env" = { };
getKey = key: {
inherit key;
sopsFile = ./secrets/secrets.yaml;
};
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"plover/${secret}"
((getKey secret) // config))
secrets;
giteaUser = config.users.users."${config.services.gitea.user}".name; "plover/borg/repos/host/patterns/keys" = { };
portunusUser = config.users.users."${config.services.portunus.user}".name; "plover/borg/repos/host/password" = { };
"plover/borg/repos/services/password" = { };
# It is hardcoded but as long as the module is stable that way. "plover/borg/ssh-key" = { };
vaultwardenUser = config.users.groups.vaultwarden.name; };
postgresUser = config.users.groups.postgres.name;
in
getSecrets {
"ssh-key" = { };
"lego/env" = { };
"gitea/db/password".owner = giteaUser;
"gitea/smtp/password".owner = giteaUser;
"vaultwarden/env".owner = vaultwardenUser;
"borg/repos/host/patterns/keys" = { };
"borg/repos/host/password" = { };
"borg/repos/services/password" = { };
"borg/ssh-key" = { };
"keycloak/db/password".owner = postgresUser;
"ldap/users/foodogsquared/password".owner = portunusUser;
};
# All of the keys required to deploy the secrets. # All of the keys required to deploy the secrets.
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";

19
hosts/plover/modules/services/bind.nix
View File

@ -53,27 +53,16 @@ in
{ {
sops.secrets = sops.secrets =
let let
getKey = key: {
inherit key;
sopsFile = ../../secrets/secrets.yaml;
};
getSecrets = secrets:
lib.mapAttrs'
(secret: config:
lib.nameValuePair
"plover/${secret}"
((getKey secret) // config))
secrets;
dnsFileAttribute = { dnsFileAttribute = {
owner = config.users.users.named.name; owner = config.users.users.named.name;
group = config.users.users.named.group; group = config.users.users.named.group;
mode = "0400"; mode = "0400";
}; };
in in
getSecrets { lib.getSecrets ../../secrets/secrets.yaml {
"dns/${domain}/mailbox-security-key" = dnsFileAttribute; "plover/dns/${domain}/mailbox-security-key" = dnsFileAttribute;
"dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; "plover/dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
"dns/${domain}/rfc2136-key" = dnsFileAttribute // { "plover/dns/${domain}/rfc2136-key" = dnsFileAttribute // {
reloadUnits = [ "bind.service" ]; reloadUnits = [ "bind.service" ];
}; };
}; };

6
hosts/plover/modules/services/gitea.nix
View File

@ -7,9 +7,15 @@
let let
codeForgeDomain = "code.${config.networking.domain}"; codeForgeDomain = "code.${config.networking.domain}";
giteaUser = config.users.users."${config.services.gitea.user}".name;
giteaDatabaseUser = config.services.gitea.user; giteaDatabaseUser = config.services.gitea.user;
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/gitea/db/password".owner = giteaUser;
"plover/gitea/smtp/password".owner = giteaUser;
};
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "foodogsquared's code forge"; appName = "foodogsquared's code forge";

7
hosts/plover/modules/services/keycloak.nix
View File

@ -11,10 +11,17 @@ let
keycloakUser = config.services.keycloak.database.username; keycloakUser = config.services.keycloak.database.username;
keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username; keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;
# This is for access to PostgreSQL database.
postgresUser = config.users.groups.postgres.name;
certs = config.security.acme.certs; certs = config.security.acme.certs;
host = "localhost"; host = "localhost";
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/keycloak/db/password".owner = postgresUser;
};
# Hey, the hub for your application sign-in. # Hey, the hub for your application sign-in.
services.keycloak = { services.keycloak = {
enable = true; enable = true;

5
hosts/plover/modules/services/portunus.nix
View File

@ -5,8 +5,13 @@
let let
ldapDomain = "ldap.${config.networking.fqdn}"; ldapDomain = "ldap.${config.networking.fqdn}";
portunusUser = config.users.users."${config.services.portunus.user}".name;
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/ldap/users/foodogsquared/password".owner = portunusUser;
};
services.portunus = { services.portunus = {
enable = true; enable = true;

4
hosts/plover/modules/services/vaultwarden.nix
View File

@ -12,6 +12,10 @@ let
vaultwardenDbName = "vaultwarden"; vaultwardenDbName = "vaultwarden";
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/vaultwarden/env".owner = vaultwardenUser;
};
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";

21
hosts/plover/modules/services/wireguard.nix
View File

@ -18,29 +18,16 @@ in
sops.secrets = sops.secrets =
let let
getKey = key: {
inherit key;
sopsFile = ../../secrets/secrets.yaml;
};
getSecrets = secrets:
(lib.mapAttrs'
(name: config:
lib.nameValuePair
"plover/${name}"
((getKey name) // config))
secrets);
systemdNetworkdPermission = { systemdNetworkdPermission = {
group = config.users.users.systemd-network.group; group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ]; reloadUnits = [ "systemd-networkd.service" ];
mode = "0640"; mode = "0640";
}; };
in in
getSecrets { lib.getSecrets ../../secrets/secrets.yaml {
"wireguard/private-key" = systemdNetworkdPermission; "plover/wireguard/private-key" = systemdNetworkdPermission;
"wireguard/preshared-keys/ni" = systemdNetworkdPermission; "plover/wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"wireguard/preshared-keys/phone" = systemdNetworkdPermission; "plover/wireguard/preshared-keys/phone" = systemdNetworkdPermission;
}; };
networking.firewall = { networking.firewall = {

34
modules/nixos/tasks/backup-archive/default.nix
View File

@ -44,30 +44,16 @@ in
lib.mkEnableOption "backup setup with BorgBackup"; lib.mkEnableOption "backup setup with BorgBackup";
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets = sops.secrets = lib.getSecrets (lib.getSecret "backup-archive.yaml") {
let "borg-backup/patterns/home" = { };
getKey = key: { "borg-backup/patterns/etc" = { };
inherit key; "borg-backup/patterns/keys" = { };
sopsFile = lib.getSecret "backup-archive.yaml"; "borg-backup/patterns/remote-backup" = { };
}; "borg-backup/repos/archive/password" = { };
getSecrets = secrets: "borg-backup/repos/external-drive/password" = { };
lib.mapAttrs' "borg-backup/repos/hetzner-box/password" = { };
(key: config: "borg-backup/ssh-key" = { };
lib.nameValuePair };
"borg-backup/${key}"
((getKey key) // config))
secrets;
in
getSecrets {
"patterns/home" = { };
"patterns/etc" = { };
"patterns/keys" = { };
"patterns/remote-backup" = { };
"repos/archive/password" = { };
"repos/external-drive/password" = { };
"repos/hetzner-box/password" = { };
"ssh-key" = { };
};
profiles.filesystem = { profiles.filesystem = {
archive.enable = true; archive.enable = true;

13
modules/nixos/tasks/multimedia-archive/default.nix
View File

@ -93,16 +93,9 @@ in
{ {
environment.systemPackages = [ ytdlpArchiveVariant ]; environment.systemPackages = [ ytdlpArchiveVariant ];
sops.secrets = sops.secrets = lib.getSecrets (lib.getSecret "multimedia-archive.yaml") {
let "multimedia-archive/secrets-config" = { };
getKey = key: { };
inherit key;
sopsFile = lib.getSecret "multimedia-archive.yaml";
};
in
{
"multimedia-archive/secrets-config" = getKey "secrets-config";
};
profiles.filesystem.archive.enable = true; profiles.filesystem.archive.enable = true;