feat(3p/agenix): update to 2022-05-16 and add to niv

The new version brings the new secretsDir setting which means we no
longer have to hardcode /run/agenix everywhere.

Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: sterni <sternenseemann@systemli.org>
This commit is contained in:
sterni 2022-05-22 23:51:49 +02:00 committed by clbot
parent c55f61cd9b
commit 03d1986316
13 changed files with 33 additions and 25 deletions

View file

@ -334,7 +334,7 @@ in
flags = { flags = {
gerrit_host = "cl.tvl.fyi:29418"; gerrit_host = "cl.tvl.fyi:29418";
gerrit_ssh_auth_username = "clbot"; gerrit_ssh_auth_username = "clbot";
gerrit_ssh_auth_key = "/run/agenix/clbot-ssh"; gerrit_ssh_auth_key = config.age.secretsDir + "/clbot-ssh";
irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}"; irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}";
irc_user = "tvlbot"; irc_user = "tvlbot";
@ -453,7 +453,7 @@ in
services.nix-serve = { services.nix-serve = {
enable = true; enable = true;
port = 6443; port = 6443;
secretKeyFile = "/run/agenix/nix-cache-priv"; secretKeyFile = config.age.secretsDir + "/nix-cache-priv";
bindAddress = "localhost"; bindAddress = "localhost";
}; };
@ -599,7 +599,7 @@ in
}; };
# Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana"; systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secretsDir + "/grafana";
services.keycloak = { services.keycloak = {
enable = true; enable = true;
@ -613,7 +613,7 @@ in
database = { database = {
type = "postgresql"; type = "postgresql";
passwordFile = "/run/agenix/keycloak-db"; passwordFile = config.age.secretsDir + "/keycloak-db";
createLocally = false; createLocally = false;
}; };
}; };

View file

@ -60,7 +60,7 @@ in
secretsFile = mkOption { secretsFile = mkOption {
type = types.str; type = types.str;
description = "EnvironmentFile from which to load secrets"; description = "EnvironmentFile from which to load secrets";
default = "/run/agenix/clbot"; default = config.age.secretsDir + "/clbot";
}; };
}; };

View file

@ -24,7 +24,7 @@ in
secretsFile = with lib; mkOption { secretsFile = with lib; mkOption {
description = "Path to a systemd EnvironmentFile containing secrets"; description = "Path to a systemd EnvironmentFile containing secrets";
default = "/run/agenix/gerrit-queue"; default = config.age.secretsDir + "/gerrit-queue";
type = types.str; type = types.str;
}; };
}; };

View file

@ -40,7 +40,7 @@ in
secretsFile = lib.mkOption { secretsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Path to the secrets file to be merged"; description = "Path to the secrets file to be merged";
default = "/run/agenix/irccat"; default = config.age.secretsDir + "/irccat";
}; };
}; };

View file

@ -37,7 +37,7 @@ in
secretsFile = lib.mkOption { secretsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "EnvironmentFile from which to load secrets"; description = "EnvironmentFile from which to load secrets";
default = "/run/agenix/oauth2_proxy"; default = config.age.secretsDir + "/oauth2_proxy";
}; };
}; };

View file

@ -12,7 +12,7 @@ in
secretsFile = lib.mkOption { secretsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "File path from which systemd should read secrets"; description = "File path from which systemd should read secrets";
default = "/run/agenix/owothia"; default = config.age.secretsDir + "/owothia";
}; };
owoChance = lib.mkOption { owoChance = lib.mkOption {

View file

@ -37,7 +37,7 @@ in
by systemd's EnvironmentFile by systemd's EnvironmentFile
''; '';
type = types.str; type = types.str;
default = "/run/agenix/panettone"; default = config.age.secretsDir + "/panettone";
}; };
irccatHost = mkOption { irccatHost = mkOption {

View file

@ -40,7 +40,7 @@ in
secretsFile = mkOption { secretsFile = mkOption {
type = types.str; type = types.str;
default = "/run/agenix/smtprelay"; default = config.age.secretsDir + "/smtprelay";
}; };
}; };

View file

@ -40,7 +40,7 @@ in
value = { value = {
inherit name; inherit name;
enable = true; enable = true;
tokenPath = "/run/agenix/buildkite-agent-token"; tokenPath = config.age.secretsDir + "/buildkite-agent-token";
hooks.post-command = "${buildkiteHooks}/bin/post-command"; hooks.post-command = "${buildkiteHooks}/bin/post-command";
runtimePackages = with pkgs; [ runtimePackages = with pkgs; [

View file

@ -1,12 +1,8 @@
{ pkgs, ... }: { pkgs, depot, ... }:
let let
src = pkgs.fetchFromGitHub { src = depot.third_party.sources.agenix;
owner = "ryantm";
repo = "agenix";
rev = "52ea2f8c3231cc2b5302fa28c63588aacb77ea29";
sha256 = "1sqgbriwmvxcmqp0zbk7873psk9g60a53fgrr9p0jafki5zzgvdx";
};
agenix = import src { agenix = import src {
inherit pkgs; inherit pkgs;
}; };

View file

@ -1,4 +1,16 @@
{ {
"agenix": {
"branch": "main",
"description": "age-encrypted secrets for NixOS",
"homepage": "https://matrix.to/#/#agenix:nixos.org",
"owner": "ryantm",
"repo": "agenix",
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
"sha256": "1cfdd2ja56g8clllygf91il7dignr90ij1bl29g3kl7dl977dhl4",
"type": "tarball",
"url": "https://github.com/ryantm/agenix/archive/7e5e58b98c3dcbf497543ff6f22591552ebfe65b.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"emacs-overlay": { "emacs-overlay": {
"branch": "master", "branch": "master",
"description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ", "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",

View file

@ -64,7 +64,7 @@ in
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
Restart = "always"; Restart = "always";
EnvironmentFile = "/run/agenix/bbbg"; EnvironmentFile = config.age.secretsDir + "/bbbg";
}; };
environment = { environment = {
@ -88,7 +88,7 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
EnvironmentFile = "/run/agenix/bbbg"; EnvironmentFile = config.age.secretsDir + "/bbbg";
}; };
environment = { environment = {

View file

@ -153,7 +153,7 @@ with lib;
zone = "gws.fyi"; zone = "gws.fyi";
protocol = "cloudflare"; protocol = "cloudflare";
username = "root@gws.fyi"; username = "root@gws.fyi";
passwordFile = "/run/agenix/ddclient-password"; passwordFile = config.age.secretsDir + "/ddclient-password";
quiet = true; quiet = true;
}; };
@ -161,7 +161,7 @@ with lib;
security.acme.certs."metrics.gws.fyi" = { security.acme.certs."metrics.gws.fyi" = {
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialsFile = "/run/agenix/cloudflare"; credentialsFile = config.age.secretsDir + "/cloudflare";
webroot = mkForce null; webroot = mkForce null;
}; };
@ -272,8 +272,8 @@ with lib;
value = { value = {
inherit name; inherit name;
enable = true; enable = true;
tokenPath = "/run/agenix/buildkite-token"; tokenPath = config.age.secretsDir + "/buildkite-token";
privateSshKeyPath = "/run/agenix/buildkite-ssh-key"; privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key";
runtimePackages = with pkgs; [ runtimePackages = with pkgs; [
docker docker
nix nix