summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2023-09-11 15:31:13 +0200
committertv <tv@krebsco.de>2023-09-11 16:10:41 +0200
commit5370e0485788224126861e076110ac705013d2de (patch)
tree15838192c1ebf685733cbf39b3f3e37fd1ebd639
parent8fc162ee3d9525a2b45346a1ca8f34ccb5ef971b (diff)
treewide: don't reference <secrets> explicitly
-rw-r--r--kartei/makefu/default.nix2
-rw-r--r--kartei/tv/default.nix2
-rw-r--r--krebs/1systems/hotdog/config.nix2
-rw-r--r--krebs/1systems/puyak/config.nix2
-rw-r--r--krebs/1systems/wolf/config.nix2
-rw-r--r--krebs/2configs/cache.nsupdate.info.nix2
-rw-r--r--krebs/2configs/matterbridge.nix2
-rw-r--r--krebs/2configs/secret-passwords.nix4
-rw-r--r--krebs/2configs/shack/gitlab-runner.nix4
-rw-r--r--krebs/2configs/shack/grafana.nix5
-rw-r--r--krebs/2configs/shack/muell_caller.nix2
-rw-r--r--krebs/2configs/shack/muell_mail.nix2
-rw-r--r--krebs/2configs/shack/prometheus/unifi.nix2
-rw-r--r--krebs/2configs/shack/s3-power.nix2
-rw-r--r--krebs/3modules/retiolum-bootstrap.nix4
-rw-r--r--krebs/3modules/secret.nix12
-rw-r--r--krebs/5pkgs/simple/generate-secrets/default.nix2
-rw-r--r--lib/types.nix2
-rw-r--r--tv/2configs/binary-cache/default.nix2
-rw-r--r--tv/2configs/default.nix6
-rw-r--r--tv/2configs/gitrepos.nix4
-rw-r--r--tv/2configs/initrd/sshd.nix2
-rw-r--r--tv/2configs/ppp.nix2
-rw-r--r--tv/2configs/wiregrill.nix2
-rw-r--r--tv/3modules/charybdis/default.nix4
-rw-r--r--tv/3modules/ejabberd/default.nix2
-rw-r--r--tv/3modules/wwan.nix2
-rw-r--r--tv/3modules/x0vncserver.nix2
28 files changed, 44 insertions, 39 deletions
diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix
index e6c296c75..f215f1fcb 100644
--- a/kartei/makefu/default.nix
+++ b/kartei/makefu/default.nix
@@ -51,7 +51,7 @@
ssh.pubkey = readFile pubkey-path;
# We assume that if the sshd pubkey exits then there must be a privkey in
# the screts store as well
- ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+ ssh.privkey.path = "${config.krebs.secret.directory}/ssh_host_ed25519_key";
})
host
];
diff --git a/kartei/tv/default.nix b/kartei/tv/default.nix
index 2f23324cc..e81bdd32b 100644
--- a/kartei/tv/default.nix
+++ b/kartei/tv/default.nix
@@ -43,7 +43,7 @@ in {
})
(host: mkIf (host.config.ssh.pubkey != null) {
ssh.privkey = mapAttrs (const mkDefault) {
- path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}";
+ path = "${config.krebs.secret.directory}/ssh.id_${host.config.ssh.privkey.type}";
type = head (toList (builtins.match "ssh-([^ ]+) .*" host.config.ssh.pubkey));
};
})
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index f3c0d4440..75a8a0da1 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -22,7 +22,7 @@
];
krebs.build.host = config.krebs.hosts.hotdog;
- krebs.hosts.hotdog.ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
krebs.pages.enable = true;
boot.isContainer = true;
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index a4f22d39c..fb0f6ec61 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -113,7 +113,7 @@
];
krebs.build.host = config.krebs.hosts.puyak;
- krebs.hosts.puyak.ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
sound.enable = false;
boot = {
diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix
index 2415bd32f..6ff280f79 100644
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@@ -51,7 +51,7 @@ in
# uninteresting stuff
#####################
krebs.build.host = config.krebs.hosts.wolf;
- krebs.hosts.wolf.ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
boot.initrd.availableKernelModules = [
"ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk"
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
index 74f345614..1ac63eaf5 100644
--- a/krebs/2configs/cache.nsupdate.info.nix
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -9,7 +9,7 @@ in {
enable = true;
server = "ipv4.nsupdate.info";
username = domain;
- password = import ((toString <secrets>) + "/nsupdate-cache.nix");
+ password = import "${config.krebs.secret.directory}/nsupdate-cache.nix";
domains = [ domain ];
use= "if, if=et0";
# use = "web, web=http://ipv4.nsupdate.info/myip";
diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix
index b96dea300..f42921824 100644
--- a/krebs/2configs/matterbridge.nix
+++ b/krebs/2configs/matterbridge.nix
@@ -2,7 +2,7 @@
services.matterbridge = {
enable = true;
configPath = let
- bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>;
+ bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token";
in
toString ((pkgs.formats.toml {}).generate "config.toml" {
general = {
diff --git a/krebs/2configs/secret-passwords.nix b/krebs/2configs/secret-passwords.nix
index 0f0d068aa..531d570cc 100644
--- a/krebs/2configs/secret-passwords.nix
+++ b/krebs/2configs/secret-passwords.nix
@@ -1,7 +1,7 @@
-{ lib, ... }:
+{ config, lib, ... }:
with lib;
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
- (import <secrets/hashedPasswords.nix>);
+ (import "${config.krebs.secret.directory}/hashedPasswords.nix");
}
diff --git a/krebs/2configs/shack/gitlab-runner.nix b/krebs/2configs/shack/gitlab-runner.nix
index d525e7987..a27fe29ae 100644
--- a/krebs/2configs/shack/gitlab-runner.nix
+++ b/krebs/2configs/shack/gitlab-runner.nix
@@ -1,4 +1,4 @@
-{ pkgs,lib, ... }:
+{ config, lib, pkgs, ... }:
{
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
services.gitlab-runner = {
@@ -10,7 +10,7 @@
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
- registrationConfigFile = toString <secrets/shackspace-gitlab-ci>;
+ registrationConfigFile = "${config.krebs.secret.directory}/shackspace-gitlab-ci";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
diff --git a/krebs/2configs/shack/grafana.nix b/krebs/2configs/shack/grafana.nix
index f42f1c4af..78ef29f97 100644
--- a/krebs/2configs/shack/grafana.nix
+++ b/krebs/2configs/shack/grafana.nix
@@ -1,7 +1,6 @@
-let
+{ config, ... }: let
port = 3000;
in {
-
networking.firewall.allowedTCPPorts = [ port ]; # legacy
services.nginx.virtualHosts."grafana.shack" = {
locations."/" = {
@@ -25,6 +24,6 @@ in {
users.allowOrgCreate = true;
users.autoAssignOrg = true;
auth.anonymous.enable = true;
- security = import <secrets/grafana_security.nix>;
+ security = import "${config.krebs.secret.directory}/grafana_security.nix";
};
}
diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix
index f3007dd1d..ea335f233 100644
--- a/krebs/2configs/shack/muell_caller.nix
+++ b/krebs/2configs/shack/muell_caller.nix
@@ -21,7 +21,7 @@ let
install -m755 -D call.py $out/bin/call-muell
'';
};
- cfg = "${toString <secrets>}/tell.json";
+ cfg = "${config.krebs.secret.directory}/tell.json";
in {
systemd.services.call_muell = {
description = "call muell";
diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix
index 2a8c92e46..69bc33e46 100644
--- a/krebs/2configs/shack/muell_mail.nix
+++ b/krebs/2configs/shack/muell_mail.nix
@@ -9,7 +9,7 @@ let
sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx";
}) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };
home = "/var/lib/muell_mail";
- cfg = toString <secrets/shack/muell_mail.js>;
+ cfg = "${config.krebs.secret.directory}/shack/muell_mail.js";
in {
users.users.muell_mail = {
inherit home;
diff --git a/krebs/2configs/shack/prometheus/unifi.nix b/krebs/2configs/shack/prometheus/unifi.nix
index 34e47add9..1e42779f0 100644
--- a/krebs/2configs/shack/prometheus/unifi.nix
+++ b/krebs/2configs/shack/prometheus/unifi.nix
@@ -5,6 +5,6 @@
unifiAddress = "https://unifi.shack:8443/";
unifiInsecure = true;
unifiUsername = "prometheus"; # needed manual login after setup to confirm the password
- unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile <secrets/shack/unifi-prometheus-pw>);
+ unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile "${config.krebs.secret.directory}/shack/unifi-prometheus-pw");
};
}
diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix
index d8033f1e2..e79d15d73 100644
--- a/krebs/2configs/shack/s3-power.nix
+++ b/krebs/2configs/shack/s3-power.nix
@@ -10,7 +10,7 @@ let
}) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };
home = "/var/lib/s3-power";
- cfg = toString <secrets/shack/s3-power.json>;
+ cfg = "${config.krebs.secret.directory}/shack/s3-power.json";
in {
users.users.s3_power = {
inherit home;
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index bd7e7c5f6..1e94df14e 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -22,8 +22,8 @@ in
default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
};
# in use:
- # <secrets/tinc.krebsco.de.crt>
- # <secrets/tinc.krebsco.de.key>
+ # ${config.krebs.secret.directory}/tinc.krebsco.de.crt
+ # ${config.krebs.secret.directory}/tinc.krebsco.de.key
};
config = mkIf cfg.enable {
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
index 90c2f6a6d..c35dceba3 100644
--- a/krebs/3modules/secret.nix
+++ b/krebs/3modules/secret.nix
@@ -7,13 +7,17 @@ in {
default = toString <secrets>;
type = types.absolute-pathname;
};
- file = mkOption {
- default = relpath: "${cfg.directory}/${relpath}";
- readOnly = true;
- };
files = mkOption {
type = with pkgs.stockholm.lib.types; attrsOf secret-file;
default = {};
+ apply = mapAttrs (name: secret-file:
+ if types.absolute-pathname.check secret-file.source-path then
+ secret-file
+ else
+ secret-file // {
+ source-path = "${config.krebs.secret.directory}/secret-file.source-path";
+ }
+ );
};
};
config = lib.mkIf (cfg.files != {}) {
diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix
index a3c9f67c5..8522b5dda 100644
--- a/krebs/5pkgs/simple/generate-secrets/default.nix
+++ b/krebs/5pkgs/simple/generate-secrets/default.nix
@@ -39,7 +39,7 @@ pkgs.writers.writeDashBin "generate-secrets" ''
};
};
};
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.privkey.path = "\''${config.krebs.secret.directory}/ssh.id_ed25519";
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
};
EOF
diff --git a/lib/types.nix b/lib/types.nix
index 5f01ccb52..ad8421b18 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -340,7 +340,7 @@ rec {
};
source-path = mkOption {
type = str;
- default = toString <secrets> + "/${config.name}";
+ default = config.name;
defaultText = "‹secrets/‹name››";
};
};
diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index 66d740715..5b4e75107 100644
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -11,7 +11,7 @@
services.nix-serve = {
enable = true;
- secretKeyFile = toString <secrets> + "/nix-serve.key";
+ secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key";
};
services.nginx = {
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index a8d840c15..91aad54cf 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -10,7 +10,6 @@ with import ./lib;
networking.hostName = config.krebs.build.host.name;
imports = [
- <secrets>
./backup.nix
./bash
./htop.nix
@@ -28,6 +27,11 @@ with import ./lib;
defaultUserShell = "/run/current-system/sw/bin/bash";
mutableUsers = false;
users = {
+ root = {
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.tv.pubkey
+ ];
+ };
tv = {
inherit (config.krebs.users.tv) home uid;
isNormalUser = true;
diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix
index 58dffe6a6..102d264b6 100644
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@@ -178,9 +178,7 @@ with import ./lib;
'';
};
};
- } //
- # TODO don't put secrets/repos.nix into the store
- import <secrets/repos.nix> { inherit config lib pkgs; }
+ }
);
irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
diff --git a/tv/2configs/initrd/sshd.nix b/tv/2configs/initrd/sshd.nix
index eff848074..d7264f073 100644
--- a/tv/2configs/initrd/sshd.nix
+++ b/tv/2configs/initrd/sshd.nix
@@ -12,6 +12,6 @@
ignoreEmptyHostKeys = true;
};
boot.initrd.secrets = {
- "/etc/ssh/ssh_host_rsa_key" = <secrets/initrd/ssh_host_rsa_key>;
+ "/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key";
};
}
diff --git a/tv/2configs/ppp.nix b/tv/2configs/ppp.nix
index 24d2831c4..b3ae4da89 100644
--- a/tv/2configs/ppp.nix
+++ b/tv/2configs/ppp.nix
@@ -1,7 +1,7 @@
with import ./lib;
{ config, pkgs, ... }: let
cfg = {
- pin = "@${toString <secrets/o2.pin>}";
+ pin = "@${config.krebs.secret.directory}/o2.pin";
ttys.ppp = "/dev/ttyACM0";
ttys.com = "/dev/ttyACM1";
};
diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix
index edf65e979..cace01a6b 100644
--- a/tv/2configs/wiregrill.nix
+++ b/tv/2configs/wiregrill.nix
@@ -12,7 +12,7 @@ in
optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
listenPort = 51820;
- privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+ privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix
index 4a0f99503..1fdcea572 100644
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@@ -17,11 +17,11 @@ in {
};
ssl_dh_params = mkOption {
type = types.absolute-pathname;
- default = toString <secrets> + "/charybdis.dh.pem";
+ default = "${config.krebs.secret.directory}/charybdis.dh.pem";
};
ssl_private_key = mkOption {
type = types.absolute-pathname;
- default = toString <secrets> + "/charybdis.key.pem";
+ default = "${config.krebs.secret.directory}/charybdis.key.pem";
};
sslport = mkOption {
type = types.int;
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 71a1a597a..61fd8fdf1 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -20,7 +20,7 @@ in {
certfiles = mkOption {
type = types.listOf types.absolute-pathname;
default = [
- (toString <secrets> + "/ejabberd.pem")
+ "${config.krebs.secret.directory}/ejabberd.pem"
];
};
configFile = mkOption {
diff --git a/tv/3modules/wwan.nix b/tv/3modules/wwan.nix
index 382f5a535..0cdfbf36c 100644
--- a/tv/3modules/wwan.nix
+++ b/tv/3modules/wwan.nix
@@ -19,7 +19,7 @@ with import ./lib;
};
tv.wwan.secrets = mkOption {
type = with types; pathname;
- default = toString <secrets/wwan.json>;
+ default = "${config.krebs.secret.directory}/wwan.json";
# format: {"pin1":number}
};
};
diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix
index eb9b1ae4e..c8e23d06e 100644
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@@ -9,7 +9,7 @@ in {
};
enable = mkEnableOption "tv.x0vncserver";
pwfile = mkOption {
- default = toString <secrets> + "/vncpasswd";
+ default = "${config.krebs.secret.directory}/vncpasswd";
description = ''
Use vncpasswd to edit pwfile.
See: nix-shell -p tigervnc --run 'man vncpasswd'