diff options
| author | tv <tv@krebsco.de> | 2023-09-11 15:31:13 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2023-09-11 16:10:41 +0200 |
| commit | 5370e0485788224126861e076110ac705013d2de (patch) | |
| tree | 15838192c1ebf685733cbf39b3f3e37fd1ebd639 | |
| parent | 8fc162ee3d9525a2b45346a1ca8f34ccb5ef971b (diff) | |
treewide: don't reference <secrets> explicitly
28 files changed, 44 insertions, 39 deletions
diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index e6c296c7..f215f1fc 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -51,7 +51,7 @@ ssh.pubkey = readFile pubkey-path; # We assume that if the sshd pubkey exits then there must be a privkey in # the screts store as well - ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.privkey.path = "${config.krebs.secret.directory}/ssh_host_ed25519_key"; }) host ]; diff --git a/kartei/tv/default.nix b/kartei/tv/default.nix index 2f23324c..e81bdd32 100644 --- a/kartei/tv/default.nix +++ b/kartei/tv/default.nix @@ -43,7 +43,7 @@ in { }) (host: mkIf (host.config.ssh.pubkey != null) { ssh.privkey = mapAttrs (const mkDefault) { - path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}"; + path = "${config.krebs.secret.directory}/ssh.id_${host.config.ssh.privkey.type}"; type = head (toList (builtins.match "ssh-([^ ]+) .*" host.config.ssh.pubkey)); }; }) diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index f3c0d444..75a8a0da 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -22,7 +22,7 @@ ]; krebs.build.host = config.krebs.hosts.hotdog; - krebs.hosts.hotdog.ssh.privkey.path = <secrets/ssh.id_ed25519>; + krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; krebs.pages.enable = true; boot.isContainer = true; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index a4f22d39..fb0f6ec6 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -113,7 +113,7 @@ ]; krebs.build.host = config.krebs.hosts.puyak; - krebs.hosts.puyak.ssh.privkey.path = <secrets/ssh.id_ed25519>; + krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; sound.enable = false; boot = { diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index 2415bd32..6ff280f7 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -51,7 +51,7 @@ in # uninteresting stuff ##################### krebs.build.host = config.krebs.hosts.wolf; - krebs.hosts.wolf.ssh.privkey.path = <secrets/ssh.id_ed25519>; + krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix index 74f34561..1ac63eaf 100644 --- a/krebs/2configs/cache.nsupdate.info.nix +++ b/krebs/2configs/cache.nsupdate.info.nix @@ -9,7 +9,7 @@ in { enable = true; server = "ipv4.nsupdate.info"; username = domain; - password = import ((toString <secrets>) + "/nsupdate-cache.nix"); + password = import "${config.krebs.secret.directory}/nsupdate-cache.nix"; domains = [ domain ]; use= "if, if=et0"; # use = "web, web=http://ipv4.nsupdate.info/myip"; diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix index b96dea30..f4292182 100644 --- a/krebs/2configs/matterbridge.nix +++ b/krebs/2configs/matterbridge.nix @@ -2,7 +2,7 @@ services.matterbridge = { enable = true; configPath = let - bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>; + bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token"; in toString ((pkgs.formats.toml {}).generate "config.toml" { general = { diff --git a/krebs/2configs/secret-passwords.nix b/krebs/2configs/secret-passwords.nix index 0f0d068a..531d570c 100644 --- a/krebs/2configs/secret-passwords.nix +++ b/krebs/2configs/secret-passwords.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ config, lib, ... }: with lib; { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import <secrets/hashedPasswords.nix>); + (import "${config.krebs.secret.directory}/hashedPasswords.nix"); } diff --git a/krebs/2configs/shack/gitlab-runner.nix b/krebs/2configs/shack/gitlab-runner.nix index d525e798..a27fe29a 100644 --- a/krebs/2configs/shack/gitlab-runner.nix +++ b/krebs/2configs/shack/gitlab-runner.nix @@ -1,4 +1,4 @@ -{ pkgs,lib, ... }: +{ config, lib, pkgs, ... }: { boot.kernel.sysctl."net.ipv4.ip_forward" = true; services.gitlab-runner = { @@ -10,7 +10,7 @@ # File should contain at least these two variables: # `CI_SERVER_URL` # `REGISTRATION_TOKEN` - registrationConfigFile = toString <secrets/shackspace-gitlab-ci>; + registrationConfigFile = "${config.krebs.secret.directory}/shackspace-gitlab-ci"; dockerImage = "alpine"; dockerVolumes = [ "/nix/store:/nix/store:ro" diff --git a/krebs/2configs/shack/grafana.nix b/krebs/2configs/shack/grafana.nix index f42f1c4a..78ef29f9 100644 --- a/krebs/2configs/shack/grafana.nix +++ b/krebs/2configs/shack/grafana.nix @@ -1,7 +1,6 @@ -let +{ config, ... }: let port = 3000; in { - networking.firewall.allowedTCPPorts = [ port ]; # legacy services.nginx.virtualHosts."grafana.shack" = { locations."/" = { @@ -25,6 +24,6 @@ in { users.allowOrgCreate = true; users.autoAssignOrg = true; auth.anonymous.enable = true; - security = import <secrets/grafana_security.nix>; + security = import "${config.krebs.secret.directory}/grafana_security.nix"; }; } diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix index f3007dd1..ea335f23 100644 --- a/krebs/2configs/shack/muell_caller.nix +++ b/krebs/2configs/shack/muell_caller.nix @@ -21,7 +21,7 @@ let install -m755 -D call.py $out/bin/call-muell ''; }; - cfg = "${toString <secrets>}/tell.json"; + cfg = "${config.krebs.secret.directory}/tell.json"; in { systemd.services.call_muell = { description = "call muell"; diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix index 2a8c92e4..69bc33e4 100644 --- a/krebs/2configs/shack/muell_mail.nix +++ b/krebs/2configs/shack/muell_mail.nix @@ -9,7 +9,7 @@ let sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx"; }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; }; home = "/var/lib/muell_mail"; - cfg = toString <secrets/shack/muell_mail.js>; + cfg = "${config.krebs.secret.directory}/shack/muell_mail.js"; in { users.users.muell_mail = { inherit home; diff --git a/krebs/2configs/shack/prometheus/unifi.nix b/krebs/2configs/shack/prometheus/unifi.nix index 34e47add..1e42779f 100644 --- a/krebs/2configs/shack/prometheus/unifi.nix +++ b/krebs/2configs/shack/prometheus/unifi.nix @@ -5,6 +5,6 @@ unifiAddress = "https://unifi.shack:8443/"; unifiInsecure = true; unifiUsername = "prometheus"; # needed manual login after setup to confirm the password - unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile <secrets/shack/unifi-prometheus-pw>); + unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile "${config.krebs.secret.directory}/shack/unifi-prometheus-pw"); }; } diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix index d8033f1e..e79d15d7 100644 --- a/krebs/2configs/shack/s3-power.nix +++ b/krebs/2configs/shack/s3-power.nix @@ -10,7 +10,7 @@ let }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; }; home = "/var/lib/s3-power"; - cfg = toString <secrets/shack/s3-power.json>; + cfg = "${config.krebs.secret.directory}/shack/s3-power.json"; in { users.users.s3_power = { inherit home; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index bd7e7c5f..1e94df14 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -22,8 +22,8 @@ in default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: - # <secrets/tinc.krebsco.de.crt> - # <secrets/tinc.krebsco.de.key> + # ${config.krebs.secret.directory}/tinc.krebsco.de.crt + # ${config.krebs.secret.directory}/tinc.krebsco.de.key }; config = mkIf cfg.enable { diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 90c2f6a6..c35dceba 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -7,13 +7,17 @@ in { default = toString <secrets>; type = types.absolute-pathname; }; - file = mkOption { - default = relpath: "${cfg.directory}/${relpath}"; - readOnly = true; - }; files = mkOption { type = with pkgs.stockholm.lib.types; attrsOf secret-file; default = {}; + apply = mapAttrs (name: secret-file: + if types.absolute-pathname.check secret-file.source-path then + secret-file + else + secret-file // { + source-path = "${config.krebs.secret.directory}/secret-file.source-path"; + } + ); }; }; config = lib.mkIf (cfg.files != {}) { diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix index a3c9f67c..8522b5dd 100644 --- a/krebs/5pkgs/simple/generate-secrets/default.nix +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -39,7 +39,7 @@ pkgs.writers.writeDashBin "generate-secrets" '' }; }; }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.privkey.path = "\''${config.krebs.secret.directory}/ssh.id_ed25519"; ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; }; EOF diff --git a/lib/types.nix b/lib/types.nix index 5f01ccb5..ad8421b1 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -340,7 +340,7 @@ rec { }; source-path = mkOption { type = str; - default = toString <secrets> + "/${config.name}"; + default = config.name; defaultText = "‹secrets/‹name››"; }; }; diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix index 66d74071..5b4e7510 100644 --- a/tv/2configs/binary-cache/default.nix +++ b/tv/2configs/binary-cache/default.nix @@ -11,7 +11,7 @@ services.nix-serve = { enable = true; - secretKeyFile = toString <secrets> + "/nix-serve.key"; + secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key"; }; services.nginx = { diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index a8d840c1..91aad54c 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -10,7 +10,6 @@ with import ./lib; networking.hostName = config.krebs.build.host.name; imports = [ - <secrets> ./backup.nix ./bash ./htop.nix @@ -28,6 +27,11 @@ with import ./lib; defaultUserShell = "/run/current-system/sw/bin/bash"; mutableUsers = false; users = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; tv = { inherit (config.krebs.users.tv) home uid; isNormalUser = true; diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index 58dffe6a..102d264b 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -178,9 +178,7 @@ with import ./lib; ''; }; }; - } // - # TODO don't put secrets/repos.nix into the store - import <secrets/repos.nix> { inherit config lib pkgs; } + } ); irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate { diff --git a/tv/2configs/initrd/sshd.nix b/tv/2configs/initrd/sshd.nix index eff84807..d7264f07 100644 --- a/tv/2configs/initrd/sshd.nix +++ b/tv/2configs/initrd/sshd.nix @@ -12,6 +12,6 @@ ignoreEmptyHostKeys = true; }; boot.initrd.secrets = { - "/etc/ssh/ssh_host_rsa_key" = <secrets/initrd/ssh_host_rsa_key>; + "/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key"; }; } diff --git a/tv/2configs/ppp.nix b/tv/2configs/ppp.nix index 24d2831c..b3ae4da8 100644 --- a/tv/2configs/ppp.nix +++ b/tv/2configs/ppp.nix @@ -1,7 +1,7 @@ with import ./lib; { config, pkgs, ... }: let cfg = { - pin = "@${toString <secrets/o2.pin>}"; + pin = "@${config.krebs.secret.directory}/o2.pin"; ttys.ppp = "/dev/ttyACM0"; ttys.com = "/dev/ttyACM1"; }; diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix index edf65e97..cace01a6 100644 --- a/tv/2configs/wiregrill.nix +++ b/tv/2configs/wiregrill.nix @@ -12,7 +12,7 @@ in optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++ optional (cfg.net.ip6 != null) cfg.net.ip6.addr; listenPort = 51820; - privateKeyFile = (toString <secrets>) + "/wiregrill.key"; + privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key"; allowedIPsAsRoutes = true; peers = mapAttrsToList (_: host: { diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 4a0f9950..1fdcea57 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -17,11 +17,11 @@ in { }; ssl_dh_params = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/charybdis.dh.pem"; + default = "${config.krebs.secret.directory}/charybdis.dh.pem"; }; ssl_private_key = mkOption { type = types.absolute-pathname; - default = toString <secrets> + "/charybdis.key.pem"; + default = "${config.krebs.secret.directory}/charybdis.key.pem"; }; sslport = mkOption { type = types.int; diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 71a1a597..61fd8fdf 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -20,7 +20,7 @@ in { certfiles = mkOption { type = types.listOf types.absolute-pathname; default = [ - (toString <secrets> + "/ejabberd.pem") + "${config.krebs.secret.directory}/ejabberd.pem" ]; }; configFile = mkOption { diff --git a/tv/3modules/wwan.nix b/tv/3modules/wwan.nix index 382f5a53..0cdfbf36 100644 --- a/tv/3modules/wwan.nix +++ b/tv/3modules/wwan.nix @@ -19,7 +19,7 @@ with import ./lib; }; tv.wwan.secrets = mkOption { type = with types; pathname; - default = toString <secrets/wwan.json>; + default = "${config.krebs.secret.directory}/wwan.json"; # format: {"pin1":number} }; }; diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix index eb9b1ae4..c8e23d06 100644 --- a/tv/3modules/x0vncserver.nix +++ b/tv/3modules/x0vncserver.nix @@ -9,7 +9,7 @@ in { }; enable = mkEnableOption "tv.x0vncserver"; pwfile = mkOption { - default = toString <secrets> + "/vncpasswd"; + default = "${config.krebs.secret.directory}/vncpasswd"; description = '' Use vncpasswd to edit pwfile. See: nix-shell -p tigervnc --run 'man vncpasswd' |