feat(3p/agenix): update to 2022-05-16 and add to niv
The new version brings the new secretsDir setting which means we no longer have to hardcode /run/agenix everywhere. Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: sterni <sternenseemann@systemli.org>
This commit is contained in:
parent
c55f61cd9b
commit
03d1986316
13 changed files with 33 additions and 25 deletions
|
@ -334,7 +334,7 @@ in
|
||||||
flags = {
|
flags = {
|
||||||
gerrit_host = "cl.tvl.fyi:29418";
|
gerrit_host = "cl.tvl.fyi:29418";
|
||||||
gerrit_ssh_auth_username = "clbot";
|
gerrit_ssh_auth_username = "clbot";
|
||||||
gerrit_ssh_auth_key = "/run/agenix/clbot-ssh";
|
gerrit_ssh_auth_key = config.age.secretsDir + "/clbot-ssh";
|
||||||
|
|
||||||
irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}";
|
irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}";
|
||||||
irc_user = "tvlbot";
|
irc_user = "tvlbot";
|
||||||
|
@ -453,7 +453,7 @@ in
|
||||||
services.nix-serve = {
|
services.nix-serve = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 6443;
|
port = 6443;
|
||||||
secretKeyFile = "/run/agenix/nix-cache-priv";
|
secretKeyFile = config.age.secretsDir + "/nix-cache-priv";
|
||||||
bindAddress = "localhost";
|
bindAddress = "localhost";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -599,7 +599,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
|
# Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
|
||||||
systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana";
|
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secretsDir + "/grafana";
|
||||||
|
|
||||||
services.keycloak = {
|
services.keycloak = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -613,7 +613,7 @@ in
|
||||||
|
|
||||||
database = {
|
database = {
|
||||||
type = "postgresql";
|
type = "postgresql";
|
||||||
passwordFile = "/run/agenix/keycloak-db";
|
passwordFile = config.age.secretsDir + "/keycloak-db";
|
||||||
createLocally = false;
|
createLocally = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -60,7 +60,7 @@ in
|
||||||
secretsFile = mkOption {
|
secretsFile = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = "EnvironmentFile from which to load secrets";
|
description = "EnvironmentFile from which to load secrets";
|
||||||
default = "/run/agenix/clbot";
|
default = config.age.secretsDir + "/clbot";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ in
|
||||||
|
|
||||||
secretsFile = with lib; mkOption {
|
secretsFile = with lib; mkOption {
|
||||||
description = "Path to a systemd EnvironmentFile containing secrets";
|
description = "Path to a systemd EnvironmentFile containing secrets";
|
||||||
default = "/run/agenix/gerrit-queue";
|
default = config.age.secretsDir + "/gerrit-queue";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -40,7 +40,7 @@ in
|
||||||
secretsFile = lib.mkOption {
|
secretsFile = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Path to the secrets file to be merged";
|
description = "Path to the secrets file to be merged";
|
||||||
default = "/run/agenix/irccat";
|
default = config.age.secretsDir + "/irccat";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,7 @@ in
|
||||||
secretsFile = lib.mkOption {
|
secretsFile = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "EnvironmentFile from which to load secrets";
|
description = "EnvironmentFile from which to load secrets";
|
||||||
default = "/run/agenix/oauth2_proxy";
|
default = config.age.secretsDir + "/oauth2_proxy";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ in
|
||||||
secretsFile = lib.mkOption {
|
secretsFile = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "File path from which systemd should read secrets";
|
description = "File path from which systemd should read secrets";
|
||||||
default = "/run/agenix/owothia";
|
default = config.age.secretsDir + "/owothia";
|
||||||
};
|
};
|
||||||
|
|
||||||
owoChance = lib.mkOption {
|
owoChance = lib.mkOption {
|
||||||
|
|
|
@ -37,7 +37,7 @@ in
|
||||||
by systemd's EnvironmentFile
|
by systemd's EnvironmentFile
|
||||||
'';
|
'';
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/run/agenix/panettone";
|
default = config.age.secretsDir + "/panettone";
|
||||||
};
|
};
|
||||||
|
|
||||||
irccatHost = mkOption {
|
irccatHost = mkOption {
|
||||||
|
|
|
@ -40,7 +40,7 @@ in
|
||||||
|
|
||||||
secretsFile = mkOption {
|
secretsFile = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/run/agenix/smtprelay";
|
default = config.age.secretsDir + "/smtprelay";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ in
|
||||||
value = {
|
value = {
|
||||||
inherit name;
|
inherit name;
|
||||||
enable = true;
|
enable = true;
|
||||||
tokenPath = "/run/agenix/buildkite-agent-token";
|
tokenPath = config.age.secretsDir + "/buildkite-agent-token";
|
||||||
hooks.post-command = "${buildkiteHooks}/bin/post-command";
|
hooks.post-command = "${buildkiteHooks}/bin/post-command";
|
||||||
|
|
||||||
runtimePackages = with pkgs; [
|
runtimePackages = with pkgs; [
|
||||||
|
|
10
third_party/agenix/default.nix
vendored
10
third_party/agenix/default.nix
vendored
|
@ -1,12 +1,8 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, depot, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
src = pkgs.fetchFromGitHub {
|
src = depot.third_party.sources.agenix;
|
||||||
owner = "ryantm";
|
|
||||||
repo = "agenix";
|
|
||||||
rev = "52ea2f8c3231cc2b5302fa28c63588aacb77ea29";
|
|
||||||
sha256 = "1sqgbriwmvxcmqp0zbk7873psk9g60a53fgrr9p0jafki5zzgvdx";
|
|
||||||
};
|
|
||||||
agenix = import src {
|
agenix = import src {
|
||||||
inherit pkgs;
|
inherit pkgs;
|
||||||
};
|
};
|
||||||
|
|
12
third_party/sources/sources.json
vendored
12
third_party/sources/sources.json
vendored
|
@ -1,4 +1,16 @@
|
||||||
{
|
{
|
||||||
|
"agenix": {
|
||||||
|
"branch": "main",
|
||||||
|
"description": "age-encrypted secrets for NixOS",
|
||||||
|
"homepage": "https://matrix.to/#/#agenix:nixos.org",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
|
||||||
|
"sha256": "1cfdd2ja56g8clllygf91il7dignr90ij1bl29g3kl7dl977dhl4",
|
||||||
|
"type": "tarball",
|
||||||
|
"url": "https://github.com/ryantm/agenix/archive/7e5e58b98c3dcbf497543ff6f22591552ebfe65b.tar.gz",
|
||||||
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
|
},
|
||||||
"emacs-overlay": {
|
"emacs-overlay": {
|
||||||
"branch": "master",
|
"branch": "master",
|
||||||
"description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",
|
"description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",
|
||||||
|
|
|
@ -64,7 +64,7 @@ in
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
EnvironmentFile = "/run/agenix/bbbg";
|
EnvironmentFile = config.age.secretsDir + "/bbbg";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
|
@ -88,7 +88,7 @@ in
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
EnvironmentFile = "/run/agenix/bbbg";
|
EnvironmentFile = config.age.secretsDir + "/bbbg";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
|
|
|
@ -153,7 +153,7 @@ with lib;
|
||||||
zone = "gws.fyi";
|
zone = "gws.fyi";
|
||||||
protocol = "cloudflare";
|
protocol = "cloudflare";
|
||||||
username = "root@gws.fyi";
|
username = "root@gws.fyi";
|
||||||
passwordFile = "/run/agenix/ddclient-password";
|
passwordFile = config.age.secretsDir + "/ddclient-password";
|
||||||
quiet = true;
|
quiet = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -161,7 +161,7 @@ with lib;
|
||||||
|
|
||||||
security.acme.certs."metrics.gws.fyi" = {
|
security.acme.certs."metrics.gws.fyi" = {
|
||||||
dnsProvider = "cloudflare";
|
dnsProvider = "cloudflare";
|
||||||
credentialsFile = "/run/agenix/cloudflare";
|
credentialsFile = config.age.secretsDir + "/cloudflare";
|
||||||
webroot = mkForce null;
|
webroot = mkForce null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -272,8 +272,8 @@ with lib;
|
||||||
value = {
|
value = {
|
||||||
inherit name;
|
inherit name;
|
||||||
enable = true;
|
enable = true;
|
||||||
tokenPath = "/run/agenix/buildkite-token";
|
tokenPath = config.age.secretsDir + "/buildkite-token";
|
||||||
privateSshKeyPath = "/run/agenix/buildkite-ssh-key";
|
privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key";
|
||||||
runtimePackages = with pkgs; [
|
runtimePackages = with pkgs; [
|
||||||
docker
|
docker
|
||||||
nix
|
nix
|
||||||
|
|
Loading…
Reference in a new issue