forked from DGNum/infrastructure
feat(modules): Replace dgn-secrets by age-secrets
This commit is contained in:
parent
75b389c03f
commit
4716f8a398
16 changed files with 18 additions and 138 deletions
2
hive.nix
2
hive.nix
|
@ -13,7 +13,7 @@ let
|
||||||
];
|
];
|
||||||
|
|
||||||
# Include default secrets
|
# Include default secrets
|
||||||
dgn-secrets.sources = [ ./machines/${node}/secrets ];
|
age-secrets.sources = [ ./machines/${node}/secrets ];
|
||||||
|
|
||||||
# Deployment config is specified in meta.nodes.${node}.deployment
|
# Deployment config is specified in meta.nodes.${node}.deployment
|
||||||
inherit (metadata.nodes.${node}) deployment;
|
inherit (metadata.nodes.${node}) deployment;
|
||||||
|
|
|
@ -60,5 +60,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; };
|
age-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,7 +55,7 @@
|
||||||
radiusClients = { };
|
radiusClients = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^radius-.*$" = { owner = "radius"; };
|
age-secrets.matches."^radius-.*$" = { owner = "radius"; };
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 1812 ];
|
networking.firewall.allowedTCPPorts = [ 1812 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 1812 ];
|
networking.firewall.allowedUDPPorts = [ 1812 ];
|
||||||
|
|
|
@ -38,5 +38,5 @@ in {
|
||||||
extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ];
|
extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ];
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; };
|
age-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -190,7 +190,7 @@ in {
|
||||||
|
|
||||||
networking.hosts = { "129.199.146.148" = [ "s3.dgnum.eu" ]; };
|
networking.hosts = { "129.199.146.148" = [ "s3.dgnum.eu" ]; };
|
||||||
|
|
||||||
dgn-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; };
|
age-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; };
|
||||||
|
|
||||||
system.activationScripts = {
|
system.activationScripts = {
|
||||||
restart-nextcloud.text = ''
|
restart-nextcloud.text = ''
|
||||||
|
|
|
@ -51,5 +51,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^outline-.*$" = { owner = "outline"; };
|
age-secrets.matches."^outline-.*$" = { owner = "outline"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -144,5 +144,5 @@ in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
|
age-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,5 +51,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^zammad-.*$" = { owner = "zammad"; };
|
age-secrets.matches."^zammad-.*$" = { owner = "zammad"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -77,5 +77,5 @@ in {
|
||||||
|
|
||||||
users.groups.git = { };
|
users.groups.git = { };
|
||||||
|
|
||||||
dgn-secrets.matches."^forgejo-.*$" = { owner = "git"; };
|
age-secrets.matches."^forgejo-.*$" = { owner = "git"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,5 +42,5 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# dgn-secrets.matches."^netbird-.*$" = { owner = "netbird"; };
|
# age-secrets.matches."^netbird-.*$" = { owner = "netbird"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -63,5 +63,5 @@ in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^peertube-.*$" = { owner = "peertube"; };
|
age-secrets.matches."^peertube-.*$" = { owner = "peertube"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -70,7 +70,7 @@ in {
|
||||||
# allowedUDPPorts = [ 53 ];
|
# allowedUDPPorts = [ 53 ];
|
||||||
# };
|
# };
|
||||||
#
|
#
|
||||||
# dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
|
# age-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
|
||||||
#
|
#
|
||||||
# # Configure ACME for DNS certificate validation
|
# # Configure ACME for DNS certificate validation
|
||||||
# security.acme = {
|
# security.acme = {
|
||||||
|
|
|
@ -6,5 +6,5 @@
|
||||||
configPath = config.age.secrets."matterbridge-config_file".path;
|
configPath = config.age.secrets."matterbridge-config_file".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.matches."^matterbridge-.*$" = { owner = "matterbridge"; };
|
age-secrets.matches."^matterbridge-.*$" = { owner = "matterbridge"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright :
|
# Copyright :
|
||||||
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
||||||
# - Maurice Debray <maurice.debray@dgnum.eu> 2023
|
# - Maurice Debray <maurice.debray@dgnum.eu> 2023
|
||||||
#
|
#
|
||||||
|
@ -44,12 +44,13 @@
|
||||||
"dgn-hardware"
|
"dgn-hardware"
|
||||||
"dgn-network"
|
"dgn-network"
|
||||||
"dgn-runners"
|
"dgn-runners"
|
||||||
"dgn-secrets"
|
|
||||||
"dgn-ssh"
|
"dgn-ssh"
|
||||||
"dgn-web"
|
"dgn-web"
|
||||||
"dgn-vm-variant"
|
"dgn-vm-variant"
|
||||||
]) ++ [
|
]) ++ [
|
||||||
"${sources.agenix}/modules/age.nix"
|
"${sources.agenix}/modules/age.nix"
|
||||||
"${sources.attic}/nixos/atticd.nix"
|
"${sources.attic}/nixos/atticd.nix"
|
||||||
];
|
] ++ ((import sources.nix-modules { inherit lib; }).importModules [
|
||||||
|
"age-secrets"
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
@ -293,7 +293,7 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.sources = [ ./. ];
|
age-secrets.sources = [ ./. ];
|
||||||
|
|
||||||
services.gitea-actions-runner.instances = lib.genAttrs
|
services.gitea-actions-runner.instances = lib.genAttrs
|
||||||
(builtins.genList (n: "runner${builtins.toString n}") cfg.nbRunners)
|
(builtins.genList (n: "runner${builtins.toString n}") cfg.nbRunners)
|
||||||
|
|
|
@ -1,121 +0,0 @@
|
||||||
# Copyright :
|
|
||||||
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
|
||||||
#
|
|
||||||
# Ce logiciel est un programme informatique servant à déployer des
|
|
||||||
# configurations de serveurs via NixOS.
|
|
||||||
#
|
|
||||||
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
|
|
||||||
# respectant les principes de diffusion des logiciels libres. Vous pouvez
|
|
||||||
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
|
|
||||||
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
|
|
||||||
# sur le site "http://www.cecill.info".
|
|
||||||
#
|
|
||||||
# En contrepartie de l'accessibilité au code source et des droits de copie,
|
|
||||||
# de modification et de redistribution accordés par cette licence, il n'est
|
|
||||||
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
|
|
||||||
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
|
|
||||||
# titulaire des droits patrimoniaux et les concédants successifs.
|
|
||||||
#
|
|
||||||
# A cet égard l'attention de l'utilisateur est attirée sur les risques
|
|
||||||
# associés au chargement, à l'utilisation, à la modification et/ou au
|
|
||||||
# développement et à la reproduction du logiciel par l'utilisateur étant
|
|
||||||
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
|
|
||||||
# manipuler et qui le réserve donc à des développeurs et des professionnels
|
|
||||||
# avertis possédant des connaissances informatiques approfondies. Les
|
|
||||||
# utilisateurs sont donc invités à charger et tester l'adéquation du
|
|
||||||
# logiciel à leurs besoins dans des conditions permettant d'assurer la
|
|
||||||
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
|
|
||||||
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
|
|
||||||
#
|
|
||||||
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
|
|
||||||
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
|
|
||||||
# termes.
|
|
||||||
|
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
inherit (lib)
|
|
||||||
mkOption
|
|
||||||
|
|
||||||
types;
|
|
||||||
|
|
||||||
inherit (lib.extra) getSecrets mkBaseSecrets recursiveFuse;
|
|
||||||
|
|
||||||
cfg = config.dgn-secrets;
|
|
||||||
|
|
||||||
optionsType = with types;
|
|
||||||
submodule ({ config, ... }: {
|
|
||||||
options = {
|
|
||||||
mode = mkOption {
|
|
||||||
type = str;
|
|
||||||
default = "0400";
|
|
||||||
description = ''
|
|
||||||
Permissions mode of the decrypted secret in a format understood by chmod.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
owner = mkOption {
|
|
||||||
type = str;
|
|
||||||
default = "0";
|
|
||||||
description = ''
|
|
||||||
User of the decrypted secret.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
group = mkOption {
|
|
||||||
type = str;
|
|
||||||
default = config.users.${config.owner}.group or "0";
|
|
||||||
description = ''
|
|
||||||
Group of the decrypted secret.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
|
|
||||||
in {
|
|
||||||
options.dgn-secrets = {
|
|
||||||
sources = mkOption {
|
|
||||||
type = with types; listOf path;
|
|
||||||
default = [ ];
|
|
||||||
description = ''
|
|
||||||
List of directories containing secrets managed with agenix.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
options = mkOption {
|
|
||||||
type = with types; listOf (attrsOf optionsType);
|
|
||||||
default = [ ];
|
|
||||||
description = ''
|
|
||||||
List of attribute sets of secrets' configuration overrides.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
names = mkOption {
|
|
||||||
type = with types; listOf str;
|
|
||||||
default = builtins.foldl' (acc: dir: acc ++ (getSecrets dir)) [ ]
|
|
||||||
cfg.sources;
|
|
||||||
description = ''
|
|
||||||
List of the names of the secrets.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
matches = mkOption {
|
|
||||||
type = with types; attrsOf optionsType;
|
|
||||||
default = { };
|
|
||||||
description = ''
|
|
||||||
Matches of secret names associated to options.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
|
||||||
dgn-secrets.options = builtins.concatLists (builtins.attrValues
|
|
||||||
(builtins.mapAttrs (pattern: options:
|
|
||||||
builtins.map (secret: { ${secret} = options; })
|
|
||||||
(builtins.filter (secret: builtins.match pattern secret != null)
|
|
||||||
cfg.names)) cfg.matches));
|
|
||||||
|
|
||||||
age.secrets = recursiveFuse (cfg.options
|
|
||||||
++ (builtins.map (dir: mkBaseSecrets dir (getSecrets dir)) cfg.sources));
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue