krebs: <secret -> krebs.secret.directory
This commit is contained in:
lassulus
parent
39c4ee8f92
commit
083229d021
@ -24,7 +24,7 @@ in {
|
||||
path = "/var/lib/step-ca/intermediate_ca.key";
|
||||
owner.name = "root";
|
||||
mode = "1444";
|
||||
source-path = builtins.toString <secrets> + "/acme_ca.key";
|
||||
source-path = "${config.krebs.secret.directory}/acme_ca.key";
|
||||
};
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
|
||||
@ -108,7 +108,7 @@ in {
|
||||
krebs.secret.files.calendar = {
|
||||
path = "/var/lib/radicale/.ssh/id_ed25519";
|
||||
owner = { name = "radicale"; };
|
||||
source-path = "${<secrets/radicale.id_ed25519>}";
|
||||
source-path = "${config.krebs.secret.directory}/radicale.id_ed25519";
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
krebs.sync-containers3.containers.hotdog = {
|
||||
sshKey = "${toString <secrets>}/hotdog.sync.key";
|
||||
sshKey = "${config.krebs.secret.directory}/hotdog.sync.key";
|
||||
};
|
||||
containers.hotdog.bindMounts."/var/lib" = {
|
||||
hostPath = "/var/lib/sync-containers3/hotdog/state";
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
krebs.sync-containers3.containers.news = {
|
||||
sshKey = "${toString <secrets>}/news.sync.key";
|
||||
sshKey = "${config.krebs.secret.directory}/news.sync.key";
|
||||
};
|
||||
}
|
||||
|
||||
@ -98,7 +98,7 @@ in {
|
||||
krebs.secret.files.konsens = {
|
||||
path = "/var/lib/konsens/.ssh/id_ed25519";
|
||||
owner = konsens-user;
|
||||
source-path = "${<secrets/konsens.id_ed25519>}";
|
||||
source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>";
|
||||
};
|
||||
|
||||
imports = [
|
||||
|
||||
@ -10,8 +10,8 @@ in {
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
configDir = "/var/lib/syncthing";
|
||||
key = toString <secrets/syncthing.key>;
|
||||
cert = toString <secrets/syncthing.cert>;
|
||||
key = "${config.krebs.secret.directory}/syncthing.key";
|
||||
cert = "${config.krebs.secret.directory}/syncthing.cert";
|
||||
# workaround for infinite recursion on unstable, remove in 23.11
|
||||
} // (if builtins.hasAttr "settings" options.services.syncthing then
|
||||
{ settings.devices = mk_peers used_peers; }
|
||||
|
||||
@ -13,12 +13,12 @@
|
||||
config.krebs.users.makefu.pubkey
|
||||
config.krebs.users.tv.pubkey
|
||||
];
|
||||
hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ];
|
||||
hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ];
|
||||
};
|
||||
boot.initrd.availableKernelModules = [ "e1000e" ];
|
||||
|
||||
boot.initrd.secrets = {
|
||||
"/etc/tor/onion/bootup" = <secrets/initrd>;
|
||||
"/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd";
|
||||
};
|
||||
|
||||
boot.initrd.extraUtilsCommands = ''
|
||||
|
||||
@ -96,7 +96,7 @@ in
|
||||
krebs.secret.files.gollum = {
|
||||
path = "${config.services.gollum.stateDir}/.ssh/id_ed25519";
|
||||
owner = { name = "gollum"; };
|
||||
source-path = "${<secrets/gollum.id_ed25519>}";
|
||||
source-path = "${config.krebs.secret.directory}/gollum.id_ed25519";
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
|
||||
@ -20,14 +20,14 @@ let
|
||||
};
|
||||
|
||||
dkim = mkOption {
|
||||
type = types.listOf (types.submodule ({ config, ... }: {
|
||||
type = types.listOf (types.submodule (dkim: {
|
||||
options = {
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
private_key = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/${config.domain}.dkim.priv";
|
||||
default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv";
|
||||
defaultText = "‹secrets/‹domain›.dkim.priv›";
|
||||
};
|
||||
selector = mkOption {
|
||||
|
||||
@ -22,7 +22,7 @@ let
|
||||
};
|
||||
ssh-identity-file = mkOption {
|
||||
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
|
||||
default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
|
||||
default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519";
|
||||
defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›";
|
||||
};
|
||||
url = mkOption {
|
||||
|
||||
@ -123,7 +123,7 @@ let
|
||||
|
||||
privateKeyFile = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/repo-sync.ssh.key";
|
||||
default = "${config.krebs.secret.directory}/repo-sync.ssh.key";
|
||||
defaultText = "‹secrets/repo-sync.ssh.key›";
|
||||
};
|
||||
|
||||
|
||||
@ -14,12 +14,12 @@ in
|
||||
sslCertificate = mkOption {
|
||||
type = types.str;
|
||||
description = "Certificate file to use for ssl";
|
||||
default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
|
||||
default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ;
|
||||
};
|
||||
sslCertificateKey = mkOption {
|
||||
type = types.str;
|
||||
description = "Certificate key to use for ssl";
|
||||
default = "${toString <secrets>}/tinc.krebsco.de.key";
|
||||
default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
|
||||
};
|
||||
# in use:
|
||||
# <secrets/tinc.krebsco.de.crt>
|
||||
|
||||
@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
|
||||
|
||||
privkey = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
|
||||
default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
|
||||
defaultText = "‹secrets/‹netname›.rsa_key.priv›";
|
||||
};
|
||||
|
||||
@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
|
||||
default =
|
||||
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
|
||||
then null
|
||||
else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
|
||||
else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
|
||||
defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
|
||||
};
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user