feat(modules): Replace dgn-secrets by age-secrets

This commit is contained in:
Tom Hubrecht 2024-01-09 14:48:33 +01:00
parent 75b389c03f
commit 4716f8a398
16 changed files with 18 additions and 138 deletions

View file

@ -13,7 +13,7 @@ let
]; ];
# Include default secrets # Include default secrets
dgn-secrets.sources = [ ./machines/${node}/secrets ]; age-secrets.sources = [ ./machines/${node}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment # Deployment config is specified in meta.nodes.${node}.deployment
inherit (metadata.nodes.${node}) deployment; inherit (metadata.nodes.${node}) deployment;

View file

@ -60,5 +60,5 @@ in {
}; };
}; };
dgn-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; }; age-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; };
} }

View file

@ -55,7 +55,7 @@
radiusClients = { }; radiusClients = { };
}; };
dgn-secrets.matches."^radius-.*$" = { owner = "radius"; }; age-secrets.matches."^radius-.*$" = { owner = "radius"; };
networking.firewall.allowedTCPPorts = [ 1812 ]; networking.firewall.allowedTCPPorts = [ 1812 ];
networking.firewall.allowedUDPPorts = [ 1812 ]; networking.firewall.allowedUDPPorts = [ 1812 ];

View file

@ -38,5 +38,5 @@ in {
extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ]; extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ];
}; };
dgn-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; }; age-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; };
} }

View file

@ -190,7 +190,7 @@ in {
networking.hosts = { "129.199.146.148" = [ "s3.dgnum.eu" ]; }; networking.hosts = { "129.199.146.148" = [ "s3.dgnum.eu" ]; };
dgn-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; }; age-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; };
system.activationScripts = { system.activationScripts = {
restart-nextcloud.text = '' restart-nextcloud.text = ''

View file

@ -51,5 +51,5 @@ in {
}; };
}; };
dgn-secrets.matches."^outline-.*$" = { owner = "outline"; }; age-secrets.matches."^outline-.*$" = { owner = "outline"; };
} }

View file

@ -144,5 +144,5 @@ in {
forceSSL = true; forceSSL = true;
}; };
dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; }; age-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
} }

View file

@ -51,5 +51,5 @@ in {
}; };
}; };
dgn-secrets.matches."^zammad-.*$" = { owner = "zammad"; }; age-secrets.matches."^zammad-.*$" = { owner = "zammad"; };
} }

View file

@ -77,5 +77,5 @@ in {
users.groups.git = { }; users.groups.git = { };
dgn-secrets.matches."^forgejo-.*$" = { owner = "git"; }; age-secrets.matches."^forgejo-.*$" = { owner = "git"; };
} }

View file

@ -42,5 +42,5 @@ in
}; };
}; };
# dgn-secrets.matches."^netbird-.*$" = { owner = "netbird"; }; # age-secrets.matches."^netbird-.*$" = { owner = "netbird"; };
} }

View file

@ -63,5 +63,5 @@ in {
forceSSL = true; forceSSL = true;
}; };
dgn-secrets.matches."^peertube-.*$" = { owner = "peertube"; }; age-secrets.matches."^peertube-.*$" = { owner = "peertube"; };
} }

View file

@ -70,7 +70,7 @@ in {
# allowedUDPPorts = [ 53 ]; # allowedUDPPorts = [ 53 ];
# }; # };
# #
# dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }]; # age-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
# #
# # Configure ACME for DNS certificate validation # # Configure ACME for DNS certificate validation
# security.acme = { # security.acme = {

View file

@ -6,5 +6,5 @@
configPath = config.age.secrets."matterbridge-config_file".path; configPath = config.age.secrets."matterbridge-config_file".path;
}; };
dgn-secrets.matches."^matterbridge-.*$" = { owner = "matterbridge"; }; age-secrets.matches."^matterbridge-.*$" = { owner = "matterbridge"; };
} }

View file

@ -1,4 +1,4 @@
# Copyright : # Copyright :
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023 # - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
# - Maurice Debray <maurice.debray@dgnum.eu> 2023 # - Maurice Debray <maurice.debray@dgnum.eu> 2023
# #
@ -44,12 +44,13 @@
"dgn-hardware" "dgn-hardware"
"dgn-network" "dgn-network"
"dgn-runners" "dgn-runners"
"dgn-secrets"
"dgn-ssh" "dgn-ssh"
"dgn-web" "dgn-web"
"dgn-vm-variant" "dgn-vm-variant"
]) ++ [ ]) ++ [
"${sources.agenix}/modules/age.nix" "${sources.agenix}/modules/age.nix"
"${sources.attic}/nixos/atticd.nix" "${sources.attic}/nixos/atticd.nix"
]; ] ++ ((import sources.nix-modules { inherit lib; }).importModules [
"age-secrets"
]);
} }

View file

@ -293,7 +293,7 @@ in {
}; };
}; };
dgn-secrets.sources = [ ./. ]; age-secrets.sources = [ ./. ];
services.gitea-actions-runner.instances = lib.genAttrs services.gitea-actions-runner.instances = lib.genAttrs
(builtins.genList (n: "runner${builtins.toString n}") cfg.nbRunners) (builtins.genList (n: "runner${builtins.toString n}") cfg.nbRunners)

View file

@ -1,121 +0,0 @@
# Copyright :
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
#
# Ce logiciel est un programme informatique servant à déployer des
# configurations de serveurs via NixOS.
#
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
# respectant les principes de diffusion des logiciels libres. Vous pouvez
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
# sur le site "http://www.cecill.info".
#
# En contrepartie de l'accessibilité au code source et des droits de copie,
# de modification et de redistribution accordés par cette licence, il n'est
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
# titulaire des droits patrimoniaux et les concédants successifs.
#
# A cet égard l'attention de l'utilisateur est attirée sur les risques
# associés au chargement, à l'utilisation, à la modification et/ou au
# développement et à la reproduction du logiciel par l'utilisateur étant
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
# manipuler et qui le réserve donc à des développeurs et des professionnels
# avertis possédant des connaissances informatiques approfondies. Les
# utilisateurs sont donc invités à charger et tester l'adéquation du
# logiciel à leurs besoins dans des conditions permettant d'assurer la
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
#
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
# termes.
{ config, lib, ... }:
let
inherit (lib)
mkOption
types;
inherit (lib.extra) getSecrets mkBaseSecrets recursiveFuse;
cfg = config.dgn-secrets;
optionsType = with types;
submodule ({ config, ... }: {
options = {
mode = mkOption {
type = str;
default = "0400";
description = ''
Permissions mode of the decrypted secret in a format understood by chmod.
'';
};
owner = mkOption {
type = str;
default = "0";
description = ''
User of the decrypted secret.
'';
};
group = mkOption {
type = str;
default = config.users.${config.owner}.group or "0";
description = ''
Group of the decrypted secret.
'';
};
};
});
in {
options.dgn-secrets = {
sources = mkOption {
type = with types; listOf path;
default = [ ];
description = ''
List of directories containing secrets managed with agenix.
'';
};
options = mkOption {
type = with types; listOf (attrsOf optionsType);
default = [ ];
description = ''
List of attribute sets of secrets' configuration overrides.
'';
};
names = mkOption {
type = with types; listOf str;
default = builtins.foldl' (acc: dir: acc ++ (getSecrets dir)) [ ]
cfg.sources;
description = ''
List of the names of the secrets.
'';
};
matches = mkOption {
type = with types; attrsOf optionsType;
default = { };
description = ''
Matches of secret names associated to options.
'';
};
};
config = {
dgn-secrets.options = builtins.concatLists (builtins.attrValues
(builtins.mapAttrs (pattern: options:
builtins.map (secret: { ${secret} = options; })
(builtins.filter (secret: builtins.match pattern secret != null)
cfg.names)) cfg.matches));
age.secrets = recursiveFuse (cfg.options
++ (builtins.map (dir: mkBaseSecrets dir (getSecrets dir)) cfg.sources));
};
}