From 5370e0485788224126861e076110ac705013d2de Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 11 Sep 2023 15:31:13 +0200 Subject: [PATCH] treewide: don't reference explicitly --- kartei/makefu/default.nix | 2 +- kartei/tv/default.nix | 2 +- krebs/1systems/hotdog/config.nix | 2 +- krebs/1systems/puyak/config.nix | 2 +- krebs/1systems/wolf/config.nix | 2 +- krebs/2configs/cache.nsupdate.info.nix | 2 +- krebs/2configs/matterbridge.nix | 2 +- krebs/2configs/secret-passwords.nix | 4 ++-- krebs/2configs/shack/gitlab-runner.nix | 4 ++-- krebs/2configs/shack/grafana.nix | 5 ++--- krebs/2configs/shack/muell_caller.nix | 2 +- krebs/2configs/shack/muell_mail.nix | 2 +- krebs/2configs/shack/prometheus/unifi.nix | 2 +- krebs/2configs/shack/s3-power.nix | 2 +- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- krebs/3modules/secret.nix | 12 ++++++++---- krebs/5pkgs/simple/generate-secrets/default.nix | 2 +- lib/types.nix | 2 +- tv/2configs/binary-cache/default.nix | 2 +- tv/2configs/default.nix | 6 +++++- tv/2configs/gitrepos.nix | 4 +--- tv/2configs/initrd/sshd.nix | 2 +- tv/2configs/ppp.nix | 2 +- tv/2configs/wiregrill.nix | 2 +- tv/3modules/charybdis/default.nix | 4 ++-- tv/3modules/ejabberd/default.nix | 2 +- tv/3modules/wwan.nix | 2 +- tv/3modules/x0vncserver.nix | 2 +- 28 files changed, 44 insertions(+), 39 deletions(-) diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index e6c296c75..f215f1fcb 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -51,7 +51,7 @@ ssh.pubkey = readFile pubkey-path; # We assume that if the sshd pubkey exits then there must be a privkey in # the screts store as well - ssh.privkey.path = ; + ssh.privkey.path = "${config.krebs.secret.directory}/ssh_host_ed25519_key"; }) host ]; diff --git a/kartei/tv/default.nix b/kartei/tv/default.nix index 2f23324cc..e81bdd32b 100644 --- a/kartei/tv/default.nix +++ b/kartei/tv/default.nix @@ -43,7 +43,7 @@ in { }) (host: mkIf (host.config.ssh.pubkey != null) { ssh.privkey = mapAttrs (const mkDefault) { - path = config.krebs.secret.file "ssh.id_${host.config.ssh.privkey.type}"; + path = "${config.krebs.secret.directory}/ssh.id_${host.config.ssh.privkey.type}"; type = head (toList (builtins.match "ssh-([^ ]+) .*" host.config.ssh.pubkey)); }; }) diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index f3c0d4440..75a8a0da1 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -22,7 +22,7 @@ ]; krebs.build.host = config.krebs.hosts.hotdog; - krebs.hosts.hotdog.ssh.privkey.path = ; + krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; krebs.pages.enable = true; boot.isContainer = true; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index a4f22d39c..fb0f6ec61 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -113,7 +113,7 @@ ]; krebs.build.host = config.krebs.hosts.puyak; - krebs.hosts.puyak.ssh.privkey.path = ; + krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; sound.enable = false; boot = { diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index 2415bd32f..6ff280f79 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -51,7 +51,7 @@ in # uninteresting stuff ##################### krebs.build.host = config.krebs.hosts.wolf; - krebs.hosts.wolf.ssh.privkey.path = ; + krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix index 74f345614..1ac63eaf5 100644 --- a/krebs/2configs/cache.nsupdate.info.nix +++ b/krebs/2configs/cache.nsupdate.info.nix @@ -9,7 +9,7 @@ in { enable = true; server = "ipv4.nsupdate.info"; username = domain; - password = import ((toString ) + "/nsupdate-cache.nix"); + password = import "${config.krebs.secret.directory}/nsupdate-cache.nix"; domains = [ domain ]; use= "if, if=et0"; # use = "web, web=http://ipv4.nsupdate.info/myip"; diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix index b96dea300..f42921824 100644 --- a/krebs/2configs/matterbridge.nix +++ b/krebs/2configs/matterbridge.nix @@ -2,7 +2,7 @@ services.matterbridge = { enable = true; configPath = let - bridgeBotToken = lib.strings.fileContents ; + bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token"; in toString ((pkgs.formats.toml {}).generate "config.toml" { general = { diff --git a/krebs/2configs/secret-passwords.nix b/krebs/2configs/secret-passwords.nix index 0f0d068aa..531d570cc 100644 --- a/krebs/2configs/secret-passwords.nix +++ b/krebs/2configs/secret-passwords.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ config, lib, ... }: with lib; { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import ); + (import "${config.krebs.secret.directory}/hashedPasswords.nix"); } diff --git a/krebs/2configs/shack/gitlab-runner.nix b/krebs/2configs/shack/gitlab-runner.nix index d525e7987..a27fe29ae 100644 --- a/krebs/2configs/shack/gitlab-runner.nix +++ b/krebs/2configs/shack/gitlab-runner.nix @@ -1,4 +1,4 @@ -{ pkgs,lib, ... }: +{ config, lib, pkgs, ... }: { boot.kernel.sysctl."net.ipv4.ip_forward" = true; services.gitlab-runner = { @@ -10,7 +10,7 @@ # File should contain at least these two variables: # `CI_SERVER_URL` # `REGISTRATION_TOKEN` - registrationConfigFile = toString ; + registrationConfigFile = "${config.krebs.secret.directory}/shackspace-gitlab-ci"; dockerImage = "alpine"; dockerVolumes = [ "/nix/store:/nix/store:ro" diff --git a/krebs/2configs/shack/grafana.nix b/krebs/2configs/shack/grafana.nix index f42f1c4af..78ef29f97 100644 --- a/krebs/2configs/shack/grafana.nix +++ b/krebs/2configs/shack/grafana.nix @@ -1,7 +1,6 @@ -let +{ config, ... }: let port = 3000; in { - networking.firewall.allowedTCPPorts = [ port ]; # legacy services.nginx.virtualHosts."grafana.shack" = { locations."/" = { @@ -25,6 +24,6 @@ in { users.allowOrgCreate = true; users.autoAssignOrg = true; auth.anonymous.enable = true; - security = import ; + security = import "${config.krebs.secret.directory}/grafana_security.nix"; }; } diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix index f3007dd1d..ea335f233 100644 --- a/krebs/2configs/shack/muell_caller.nix +++ b/krebs/2configs/shack/muell_caller.nix @@ -21,7 +21,7 @@ let install -m755 -D call.py $out/bin/call-muell ''; }; - cfg = "${toString }/tell.json"; + cfg = "${config.krebs.secret.directory}/tell.json"; in { systemd.services.call_muell = { description = "call muell"; diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix index 2a8c92e46..69bc33e46 100644 --- a/krebs/2configs/shack/muell_mail.nix +++ b/krebs/2configs/shack/muell_mail.nix @@ -9,7 +9,7 @@ let sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx"; }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; }; home = "/var/lib/muell_mail"; - cfg = toString ; + cfg = "${config.krebs.secret.directory}/shack/muell_mail.js"; in { users.users.muell_mail = { inherit home; diff --git a/krebs/2configs/shack/prometheus/unifi.nix b/krebs/2configs/shack/prometheus/unifi.nix index 34e47add9..1e42779f0 100644 --- a/krebs/2configs/shack/prometheus/unifi.nix +++ b/krebs/2configs/shack/prometheus/unifi.nix @@ -5,6 +5,6 @@ unifiAddress = "https://unifi.shack:8443/"; unifiInsecure = true; unifiUsername = "prometheus"; # needed manual login after setup to confirm the password - unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile ); + unifiPassword = lib.replaceStrings ["\n"] [""] (builtins.readFile "${config.krebs.secret.directory}/shack/unifi-prometheus-pw"); }; } diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix index d8033f1e2..e79d15d73 100644 --- a/krebs/2configs/shack/s3-power.nix +++ b/krebs/2configs/shack/s3-power.nix @@ -10,7 +10,7 @@ let }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; }; home = "/var/lib/s3-power"; - cfg = toString ; + cfg = "${config.krebs.secret.directory}/shack/s3-power.json"; in { users.users.s3_power = { inherit home; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index bd7e7c5f6..1e94df14e 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -22,8 +22,8 @@ in default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: - # - # + # ${config.krebs.secret.directory}/tinc.krebsco.de.crt + # ${config.krebs.secret.directory}/tinc.krebsco.de.key }; config = mkIf cfg.enable { diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 90c2f6a6d..c35dceba3 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -7,13 +7,17 @@ in { default = toString ; type = types.absolute-pathname; }; - file = mkOption { - default = relpath: "${cfg.directory}/${relpath}"; - readOnly = true; - }; files = mkOption { type = with pkgs.stockholm.lib.types; attrsOf secret-file; default = {}; + apply = mapAttrs (name: secret-file: + if types.absolute-pathname.check secret-file.source-path then + secret-file + else + secret-file // { + source-path = "${config.krebs.secret.directory}/secret-file.source-path"; + } + ); }; }; config = lib.mkIf (cfg.files != {}) { diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix index a3c9f67c5..8522b5dda 100644 --- a/krebs/5pkgs/simple/generate-secrets/default.nix +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -39,7 +39,7 @@ pkgs.writers.writeDashBin "generate-secrets" '' }; }; }; - ssh.privkey.path = ; + ssh.privkey.path = "\''${config.krebs.secret.directory}/ssh.id_ed25519"; ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; }; EOF diff --git a/lib/types.nix b/lib/types.nix index 5f01ccb52..ad8421b18 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -340,7 +340,7 @@ rec { }; source-path = mkOption { type = str; - default = toString + "/${config.name}"; + default = config.name; defaultText = "‹secrets/‹name››"; }; }; diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix index 66d740715..5b4e75107 100644 --- a/tv/2configs/binary-cache/default.nix +++ b/tv/2configs/binary-cache/default.nix @@ -11,7 +11,7 @@ services.nix-serve = { enable = true; - secretKeyFile = toString + "/nix-serve.key"; + secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key"; }; services.nginx = { diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index a8d840c15..91aad54cf 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -10,7 +10,6 @@ with import ./lib; networking.hostName = config.krebs.build.host.name; imports = [ - ./backup.nix ./bash ./htop.nix @@ -28,6 +27,11 @@ with import ./lib; defaultUserShell = "/run/current-system/sw/bin/bash"; mutableUsers = false; users = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; tv = { inherit (config.krebs.users.tv) home uid; isNormalUser = true; diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index 58dffe6a6..102d264b6 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -178,9 +178,7 @@ with import ./lib; ''; }; }; - } // - # TODO don't put secrets/repos.nix into the store - import { inherit config lib pkgs; } + } ); irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate { diff --git a/tv/2configs/initrd/sshd.nix b/tv/2configs/initrd/sshd.nix index eff848074..d7264f073 100644 --- a/tv/2configs/initrd/sshd.nix +++ b/tv/2configs/initrd/sshd.nix @@ -12,6 +12,6 @@ ignoreEmptyHostKeys = true; }; boot.initrd.secrets = { - "/etc/ssh/ssh_host_rsa_key" = ; + "/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key"; }; } diff --git a/tv/2configs/ppp.nix b/tv/2configs/ppp.nix index 24d2831c4..b3ae4da89 100644 --- a/tv/2configs/ppp.nix +++ b/tv/2configs/ppp.nix @@ -1,7 +1,7 @@ with import ./lib; { config, pkgs, ... }: let cfg = { - pin = "@${toString }"; + pin = "@${config.krebs.secret.directory}/o2.pin"; ttys.ppp = "/dev/ttyACM0"; ttys.com = "/dev/ttyACM1"; }; diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix index edf65e979..cace01a6b 100644 --- a/tv/2configs/wiregrill.nix +++ b/tv/2configs/wiregrill.nix @@ -12,7 +12,7 @@ in optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++ optional (cfg.net.ip6 != null) cfg.net.ip6.addr; listenPort = 51820; - privateKeyFile = (toString ) + "/wiregrill.key"; + privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key"; allowedIPsAsRoutes = true; peers = mapAttrsToList (_: host: { diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 4a0f99503..1fdcea572 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -17,11 +17,11 @@ in { }; ssl_dh_params = mkOption { type = types.absolute-pathname; - default = toString + "/charybdis.dh.pem"; + default = "${config.krebs.secret.directory}/charybdis.dh.pem"; }; ssl_private_key = mkOption { type = types.absolute-pathname; - default = toString + "/charybdis.key.pem"; + default = "${config.krebs.secret.directory}/charybdis.key.pem"; }; sslport = mkOption { type = types.int; diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 71a1a597a..61fd8fdf1 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -20,7 +20,7 @@ in { certfiles = mkOption { type = types.listOf types.absolute-pathname; default = [ - (toString + "/ejabberd.pem") + "${config.krebs.secret.directory}/ejabberd.pem" ]; }; configFile = mkOption { diff --git a/tv/3modules/wwan.nix b/tv/3modules/wwan.nix index 382f5a535..0cdfbf36c 100644 --- a/tv/3modules/wwan.nix +++ b/tv/3modules/wwan.nix @@ -19,7 +19,7 @@ with import ./lib; }; tv.wwan.secrets = mkOption { type = with types; pathname; - default = toString ; + default = "${config.krebs.secret.directory}/wwan.json"; # format: {"pin1":number} }; }; diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix index eb9b1ae4e..c8e23d06e 100644 --- a/tv/3modules/x0vncserver.nix +++ b/tv/3modules/x0vncserver.nix @@ -9,7 +9,7 @@ in { }; enable = mkEnableOption "tv.x0vncserver"; pwfile = mkOption { - default = toString + "/vncpasswd"; + default = "${config.krebs.secret.directory}/vncpasswd"; description = '' Use vncpasswd to edit pwfile. See: nix-shell -p tigervnc --run 'man vncpasswd'