ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: move secrets off-shore

Browse source
This commit is contained in:
ooks-io 2025-01-20 20:57:53 +11:00
parent 0ecc1cbf40
commit d3d0ae8fcb
23 changed files with 231 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/nixos/base/admin.nix
View file

@ -1,10 +1,10 @@
{
config,
pkgs,
keys,
...
}: let
inherit (config.ooknet.host) admin;
inherit (config.ooknet.secrets) keys;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {

1
modules/nixos/base/default.nix
View file

@ -7,7 +7,6 @@
./admin.nix
./locale.nix
./options.nix
./secrets.nix
./openssh.nix
./tailscale.nix
./networking.nix

2
modules/nixos/base/distributed-builds.nix
View file

@ -1,5 +1,4 @@
{
keys,
config,
lib,
...
@ -7,6 +6,7 @@
inherit (lib) mkIf;
inherit (config.ooknet.host) admin;
inherit (config.networking) hostName;
inherit (config.ooknet.secrets) keys;
mkBuilderMachine = {
host,

1
modules/nixos/base/nix.nix
View file

@ -23,7 +23,6 @@ in {
defaultPackages = [];
systemPackages = attrValues {
inherit (pkgs) git deadnix statix;
inherit (inputs'.agenix.packages) default;
};
# location of the configuration flake

43
modules/nixos/base/secrets.nix
View file

@ -1,43 +0,0 @@
{
config,
lib,
self,
...
}: let
inherit (lib) mkIf;
inherit (config.ooknet) host;
inherit (host) admin;
inherit (config.services) tailscale transmission;
in {
age.identityPaths = [
"/home/${admin.name}/.ssh/id_ed25519"
];
age.secrets = {
tailscale-auth = mkIf tailscale.enable {
file = "${self}/secrets/tailscale-auth.age";
mode = "444";
};
github_key = mkIf admin.homeManager {
file = "${self}/secrets/github_key.age";
path = "/home/${admin.name}/.ssh/github_key";
owner = "${admin.name}";
group = "users";
};
ooknet_org = mkIf admin.homeManager {
file = "${self}/secrets/ooknet_org.age";
path = "/home/${admin.name}/.ssh/ooknet_org";
owner = "${admin.name}";
group = "users";
};
spotify_key = mkIf admin.homeManager {
file = "${self}/secrets/spotify_key.age";
owner = "${admin.name}";
group = "users";
};
"mullvad_wg.conf" = mkIf transmission.enable {
file = "${self}/secrets/mullvad_wg.age";
};
};
}

10
modules/nixos/server/services/ookflix/lib.nix
View file

@ -132,14 +132,6 @@
};
};
mkServiceSecret = name: service: {
${name} = {
file = "${self}/secrets/containers/${name}.age";
owner = cfg.services.${service}.user.name;
group = cfg.services.${service}.group.name;
};
};
mkNetworkService = name: _network:
nameValuePair "podman-network-${name}" {
description = "Podman network ${name} for ookflix";
@ -151,5 +143,5 @@
};
};
in {
inherit mkServiceStateFile mkServiceSecret mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService;
inherit mkServiceStateFile mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService;
}

3
modules/nixos/server/services/ookflix/networking/gluetun.nix
View file

@ -6,14 +6,13 @@
...
}: let
ookflixLib = import ../lib.nix {inherit self lib config;};
inherit (ookflixLib) mkServiceUser mkServiceSecret;
inherit (ookflixLib) mkServiceUser;
inherit (lib) mkIf;
inherit (ook.lib.container) mkContainerEnvironment;
inherit (config.ooknet.server.ookflix.services) qbittorrent gluetun;
in {
config = mkIf gluetun.enable {
users = mkServiceUser gluetun.user.name;
age.secrets = mkServiceSecret "vpn_env" "gluetun";
virtualisation.oci-containers.containers = {
# vpn container
gluetun = mkIf gluetun.enable {

3
modules/nixos/server/services/ookflix/networking/traefik.nix
View file

@ -6,7 +6,7 @@
...
}: let
ookflixLib = import ../lib.nix {inherit self lib config;};
inherit (ookflixLib) mkServiceUser mkServiceSecret mkServiceStateDir mkServiceStateFile;
inherit (ookflixLib) mkServiceUser mkServiceStateDir mkServiceStateFile;
inherit (lib) mkIf;
inherit (ook.lib.container) mkContainerEnvironment mkContainerLabel mkContainerPort;
inherit (config.ooknet) server;
@ -19,7 +19,6 @@ in {
traefikStateDir = mkServiceStateDir "traefik";
traefikAcmeFile = mkServiceStateFile "traefik" "acme.json";
};
age.secrets = mkServiceSecret "cf_creds" "traefik";
virtualisation.oci-containers.containers = {
# vpn container
traefik = mkIf traefik.enable {