From 083229d0211096daec08673f743ccc45b1d8a0ac Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 19:00:57 +0200 Subject: [PATCH] krebs: krebs.secret.directory --- krebs/2configs/acme.nix | 2 +- krebs/2configs/cal.nix | 2 +- krebs/2configs/hotdog-host.nix | 3 ++- krebs/2configs/news-host.nix | 3 ++- krebs/2configs/repo-sync.nix | 2 +- krebs/2configs/syncthing.nix | 4 ++-- krebs/2configs/tor/initrd.nix | 4 ++-- krebs/2configs/wiki.nix | 2 +- krebs/3modules/exim-smarthost.nix | 4 ++-- krebs/3modules/github/hosts-sync.nix | 2 +- krebs/3modules/repo-sync.nix | 2 +- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- krebs/3modules/tinc.nix | 4 ++-- 13 files changed, 20 insertions(+), 18 deletions(-) diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix index a1fe47b5d..1a0cdf019 100644 --- a/krebs/2configs/cal.nix +++ b/krebs/2configs/cal.nix @@ -108,7 +108,7 @@ in { krebs.secret.files.calendar = { path = "/var/lib/radicale/.ssh/id_ed25519"; owner = { name = "radicale"; }; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix index 95d70376b..ab2b22b7c 100644 --- a/krebs/2configs/hotdog-host.nix +++ b/krebs/2configs/hotdog-host.nix @@ -1,6 +1,7 @@ +{ config, ... }: { krebs.sync-containers3.containers.hotdog = { - sshKey = "${toString }/hotdog.sync.key"; + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; }; containers.hotdog.bindMounts."/var/lib" = { hostPath = "/var/lib/sync-containers3/hotdog/state"; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 71793e518..81922ef87 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -1,5 +1,6 @@ +{ config, ... }: { krebs.sync-containers3.containers.news = { - sshKey = "${toString }/news.sync.key"; + sshKey = "${config.krebs.secret.directory}/news.sync.key"; }; } diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 1b72924a6..a488fdfea 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; }; imports = [ diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 59178516c..90ae66f6e 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,8 +10,8 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - key = toString ; - cert = toString ; + key = "${config.krebs.secret.directory}/syncthing.key"; + cert = "${config.krebs.secret.directory}/syncthing.cert"; # workaround for infinite recursion on unstable, remove in 23.11 } // (if builtins.hasAttr "settings" options.services.syncthing then { settings.devices = mk_peers used_peers; } diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 98ed039b4..21c46a0a7 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -13,12 +13,12 @@ config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; - hostKeys = [ ]; + hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ]; }; boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.secrets = { - "/etc/tor/onion/bootup" = ; + "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd"; }; boot.initrd.extraUtilsCommands = '' diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index a227ceb4a..4b0bf9768 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -96,7 +96,7 @@ in krebs.secret.files.gollum = { path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; owner = { name = "gollum"; }; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/gollum.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 093ae2030..4e42ce72e 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -20,14 +20,14 @@ let }; dkim = mkOption { - type = types.listOf (types.submodule ({ config, ... }: { + type = types.listOf (types.submodule (dkim: { options = { domain = mkOption { type = types.str; }; private_key = mkOption { type = types.absolute-pathname; - default = toString + "/${config.domain}.dkim.priv"; + default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix index 6f9aee0ce..2f373f9bc 100644 --- a/krebs/3modules/github/hosts-sync.nix +++ b/krebs/3modules/github/hosts-sync.nix @@ -22,7 +22,7 @@ let }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString ; + default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519"; defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›"; }; url = mkOption { diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index a6de3f3f6..5208d91ae 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -123,7 +123,7 @@ let privateKeyFile = mkOption { type = types.absolute-pathname; - default = toString + "/repo-sync.ssh.key"; + default = "${config.krebs.secret.directory}/repo-sync.ssh.key"; defaultText = "‹secrets/repo-sync.ssh.key›"; }; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index c9ea8a619..bd7e7c5f6 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -14,12 +14,12 @@ in sslCertificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "${toString }/tinc.krebsco.de.crt" ; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ; }; sslCertificateKey = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "${toString }/tinc.krebsco.de.key"; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: # diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 2f9efad46..9df368cfb 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; { privkey = mkOption { type = types.absolute-pathname; - default = toString + "/${tinc.config.netname}.rsa_key.priv"; + default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; @@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; { default = if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null then null - else toString + "/${tinc.config.netname}.ed25519_key.priv"; + else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; };