krebs: <secret -> krebs.secret.directory

This commit is contained in:
lassulus 2023-09-07 19:00:57 +02:00
parent 39c4ee8f92
commit 083229d021
13 changed files with 20 additions and 18 deletions

View file

@ -24,7 +24,7 @@ in {
path = "/var/lib/step-ca/intermediate_ca.key";
owner.name = "root";
mode = "1444";
source-path = builtins.toString <secrets> + "/acme_ca.key";
source-path = "${config.krebs.secret.directory}/acme_ca.key";
};
services.step-ca = {
enable = true;

View file

@ -108,7 +108,7 @@ in {
krebs.secret.files.calendar = {
path = "/var/lib/radicale/.ssh/id_ed25519";
owner = { name = "radicale"; };
source-path = "${<secrets/radicale.id_ed25519>}";
source-path = "${config.krebs.secret.directory}/radicale.id_ed25519";
};
security.sudo.extraConfig = ''

View file

@ -1,6 +1,7 @@
{ config, ... }:
{
krebs.sync-containers3.containers.hotdog = {
sshKey = "${toString <secrets>}/hotdog.sync.key";
sshKey = "${config.krebs.secret.directory}/hotdog.sync.key";
};
containers.hotdog.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/hotdog/state";

View file

@ -1,5 +1,6 @@
{ config, ... }:
{
krebs.sync-containers3.containers.news = {
sshKey = "${toString <secrets>}/news.sync.key";
sshKey = "${config.krebs.secret.directory}/news.sync.key";
};
}

View file

@ -98,7 +98,7 @@ in {
krebs.secret.files.konsens = {
path = "/var/lib/konsens/.ssh/id_ed25519";
owner = konsens-user;
source-path = "${<secrets/konsens.id_ed25519>}";
source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>";
};
imports = [

View file

@ -10,8 +10,8 @@ in {
services.syncthing = {
enable = true;
configDir = "/var/lib/syncthing";
key = toString <secrets/syncthing.key>;
cert = toString <secrets/syncthing.cert>;
key = "${config.krebs.secret.directory}/syncthing.key";
cert = "${config.krebs.secret.directory}/syncthing.cert";
# workaround for infinite recursion on unstable, remove in 23.11
} // (if builtins.hasAttr "settings" options.services.syncthing then
{ settings.devices = mk_peers used_peers; }

View file

@ -13,12 +13,12 @@
config.krebs.users.makefu.pubkey
config.krebs.users.tv.pubkey
];
hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ];
hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ];
};
boot.initrd.availableKernelModules = [ "e1000e" ];
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = <secrets/initrd>;
"/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd";
};
boot.initrd.extraUtilsCommands = ''

View file

@ -96,7 +96,7 @@ in
krebs.secret.files.gollum = {
path = "${config.services.gollum.stateDir}/.ssh/id_ed25519";
owner = { name = "gollum"; };
source-path = "${<secrets/gollum.id_ed25519>}";
source-path = "${config.krebs.secret.directory}/gollum.id_ed25519";
};
security.sudo.extraConfig = ''

View file

@ -20,14 +20,14 @@ let
};
dkim = mkOption {
type = types.listOf (types.submodule ({ config, ... }: {
type = types.listOf (types.submodule (dkim: {
options = {
domain = mkOption {
type = types.str;
};
private_key = mkOption {
type = types.absolute-pathname;
default = toString <secrets> + "/${config.domain}.dkim.priv";
default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv";
defaultText = "secrets/domain.dkim.priv";
};
selector = mkOption {

View file

@ -22,7 +22,7 @@ let
};
ssh-identity-file = mkOption {
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519";
defaultText = "secrets/github-hosts-sync.ssh.id_ed25519";
};
url = mkOption {

View file

@ -123,7 +123,7 @@ let
privateKeyFile = mkOption {
type = types.absolute-pathname;
default = toString <secrets> + "/repo-sync.ssh.key";
default = "${config.krebs.secret.directory}/repo-sync.ssh.key";
defaultText = "secrets/repo-sync.ssh.key";
};

View file

@ -14,12 +14,12 @@ in
sslCertificate = mkOption {
type = types.str;
description = "Certificate file to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ;
};
sslCertificateKey = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.key";
default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
};
# in use:
# <secrets/tinc.krebsco.de.crt>

View file

@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
privkey = mkOption {
type = types.absolute-pathname;
default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
defaultText = "secrets/netname.rsa_key.priv";
};
@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
default =
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
then null
else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
defaultText = "secrets/netname.ed25519_key.priv";
};