From 234d9d96bf749c67add1339d37706bc07153d5f8 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Dec 2021 00:49:30 +0100 Subject: krebs.systemd: allow LoadCredential to be a string --- krebs/3modules/systemd.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 0ce44391..294f80a3 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -31,7 +31,8 @@ lib.types.absolute-pathname.check (map (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) - config.systemd.services.${serviceName}.serviceConfig.LoadCredential); + (lib.toList + config.systemd.services.${serviceName}.serviceConfig.LoadCredential)); } ) config.krebs.systemd.services; -- cgit v1.2.3 From 71d11e8f2b377d3aade73faae129811bba922315 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Dec 2021 00:49:02 +0100 Subject: repo-sync: add group --- krebs/3modules/repo-sync.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'krebs') diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index 0312c62f..488cc4dd 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -148,10 +148,13 @@ let users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; description = "repo-sync user"; isSystemUser = true; }; + users.groups.${cfg.user.name} = {}; + systemd.timers = mapAttrs' (name: repo: nameValuePair "repo-sync-${name}" { description = "repo-sync timer"; -- cgit v1.2.3 From 7219292dd59e22d94ec9d2a204a841cb44da0daa Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Dec 2021 00:47:41 +0100 Subject: repo-sync: use LoadCredential --- krebs/3modules/repo-sync.nix | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index 488cc4dd..c4cfb9a4 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -122,13 +122,9 @@ let }; privateKeyFile = mkOption { - type = types.secret-file; - default = { - name = "repo-sync-key"; - path = "${cfg.stateDir}/ssh.priv"; - owner = cfg.user; - source-path = toString + "/repo-sync.ssh.key"; - }; + type = types.absolute-pathname; + default = toString + "/repo-sync.ssh.key"; + defaultText = "‹secrets/repo-sync.ssh.key›"; }; unitConfig = mkOption { @@ -144,7 +140,6 @@ let }; imp = { - krebs.secret.files.repo-sync-key = cfg.privateKeyFile; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; @@ -163,6 +158,10 @@ let } ) cfg.repos; + krebs.systemd.services = mapAttrs' (name: _: + nameValuePair "repo-sync-${name}" {} + ) cfg.repos; + systemd.services = mapAttrs' (name: repo: let repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json" @@ -171,16 +170,10 @@ let }); in nameValuePair "repo-sync-${name}" { description = "repo-sync"; - after = [ - config.krebs.secret.files.repo-sync-key.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.repo-sync-key.service - ]; + after = [ "network.target" ]; environment = { - GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}"; + GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key"; REPONAME = "${name}.git"; }; @@ -188,6 +181,7 @@ let serviceConfig = { Type = "simple"; PermissionsStartOnly = true; + LoadCredential = "ssh_key:${cfg.privateKeyFile}"; ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}"; WorkingDirectory = cfg.stateDir; User = "repo-sync"; -- cgit v1.2.3 From b33381d15edbce2e31a0e15dc1ddab71d8fa8981 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Dec 2021 09:22:41 +0100 Subject: exim-smarthost: use LoadCredential --- krebs/3modules/exim-smarthost.nix | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 4eb1d641..0084886f 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -24,13 +24,8 @@ let type = types.str; }; private_key = mkOption { - type = types.secret-file; - default = { - name = "exim.dkim_private_key/${config.domain}"; - path = "/run/krebs.secret/${config.domain}.dkim_private_key"; - owner.name = "exim"; - source-path = toString + "/${config.domain}.dkim.priv"; - }; + type = types.absolute-pathname; + default = toString + "/${config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { @@ -111,24 +106,13 @@ let }; imp = { - krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: { - name = "exim.dkim_private_key/${dkim.domain}"; - value = dkim.private_key; - })); - systemd.services = mkIf (cfg.dkim != []) { - exim = { - after = flip map cfg.dkim (dkim: - config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service - ); - partOf = flip map cfg.dkim (dkim: - config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service - ); - }; - }; + krebs.systemd.services.exim = {}; + systemd.services.exim.serviceConfig.LoadCredential = + map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; krebs.exim = { enable = true; config = /* exim */ '' - keep_environment = + keep_environment = CREDENTIALS_DIRECTORY primary_hostname = ${cfg.primary_hostname} @@ -242,7 +226,7 @@ let ${optionalString (cfg.dkim != []) (indent /* exim */ '' dkim_canon = relaxed dkim_domain = $sender_address_domain - dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} + dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} '')} helo_data = ''${if eq{$acl_m_special_dom}{} \ @@ -281,10 +265,6 @@ let inherit (cfg) internet-aliases; inherit (cfg) system-aliases; } // optionalAttrs (cfg.dkim != []) { - dkim_private_key = flip map cfg.dkim (dkim: { - from = dkim.domain; - to = dkim.private_key.path; - }); dkim_selector = flip map cfg.dkim (dkim: { from = dkim.domain; to = dkim.selector; -- cgit v1.2.3 From 969bd9767ea91aa9f2487285bed8f5f1fdd50aa3 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Dec 2021 10:19:13 +0100 Subject: exim-smarthost: dkim_strict = true --- krebs/3modules/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs') diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 0084886f..fe149448 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -228,6 +228,7 @@ let dkim_domain = $sender_address_domain dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} + dkim_strict = true '')} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ -- cgit v1.2.3