krebs: <secret -> krebs.secret.directory

This commit is contained in:
lassulus 2023-09-07 19:00:57 +02:00
parent 39c4ee8f92
commit 083229d021
13 changed files with 20 additions and 18 deletions

View file

@ -24,7 +24,7 @@ in {
path = "/var/lib/step-ca/intermediate_ca.key"; path = "/var/lib/step-ca/intermediate_ca.key";
owner.name = "root"; owner.name = "root";
mode = "1444"; mode = "1444";
source-path = builtins.toString <secrets> + "/acme_ca.key"; source-path = "${config.krebs.secret.directory}/acme_ca.key";
}; };
services.step-ca = { services.step-ca = {
enable = true; enable = true;

View file

@ -108,7 +108,7 @@ in {
krebs.secret.files.calendar = { krebs.secret.files.calendar = {
path = "/var/lib/radicale/.ssh/id_ed25519"; path = "/var/lib/radicale/.ssh/id_ed25519";
owner = { name = "radicale"; }; owner = { name = "radicale"; };
source-path = "${<secrets/radicale.id_ed25519>}"; source-path = "${config.krebs.secret.directory}/radicale.id_ed25519";
}; };
security.sudo.extraConfig = '' security.sudo.extraConfig = ''

View file

@ -1,6 +1,7 @@
{ config, ... }:
{ {
krebs.sync-containers3.containers.hotdog = { krebs.sync-containers3.containers.hotdog = {
sshKey = "${toString <secrets>}/hotdog.sync.key"; sshKey = "${config.krebs.secret.directory}/hotdog.sync.key";
}; };
containers.hotdog.bindMounts."/var/lib" = { containers.hotdog.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/hotdog/state"; hostPath = "/var/lib/sync-containers3/hotdog/state";

View file

@ -1,5 +1,6 @@
{ config, ... }:
{ {
krebs.sync-containers3.containers.news = { krebs.sync-containers3.containers.news = {
sshKey = "${toString <secrets>}/news.sync.key"; sshKey = "${config.krebs.secret.directory}/news.sync.key";
}; };
} }

View file

@ -98,7 +98,7 @@ in {
krebs.secret.files.konsens = { krebs.secret.files.konsens = {
path = "/var/lib/konsens/.ssh/id_ed25519"; path = "/var/lib/konsens/.ssh/id_ed25519";
owner = konsens-user; owner = konsens-user;
source-path = "${<secrets/konsens.id_ed25519>}"; source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>";
}; };
imports = [ imports = [

View file

@ -10,8 +10,8 @@ in {
services.syncthing = { services.syncthing = {
enable = true; enable = true;
configDir = "/var/lib/syncthing"; configDir = "/var/lib/syncthing";
key = toString <secrets/syncthing.key>; key = "${config.krebs.secret.directory}/syncthing.key";
cert = toString <secrets/syncthing.cert>; cert = "${config.krebs.secret.directory}/syncthing.cert";
# workaround for infinite recursion on unstable, remove in 23.11 # workaround for infinite recursion on unstable, remove in 23.11
} // (if builtins.hasAttr "settings" options.services.syncthing then } // (if builtins.hasAttr "settings" options.services.syncthing then
{ settings.devices = mk_peers used_peers; } { settings.devices = mk_peers used_peers; }

View file

@ -13,12 +13,12 @@
config.krebs.users.makefu.pubkey config.krebs.users.makefu.pubkey
config.krebs.users.tv.pubkey config.krebs.users.tv.pubkey
]; ];
hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ]; hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ];
}; };
boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.availableKernelModules = [ "e1000e" ];
boot.initrd.secrets = { boot.initrd.secrets = {
"/etc/tor/onion/bootup" = <secrets/initrd>; "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd";
}; };
boot.initrd.extraUtilsCommands = '' boot.initrd.extraUtilsCommands = ''

View file

@ -96,7 +96,7 @@ in
krebs.secret.files.gollum = { krebs.secret.files.gollum = {
path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; path = "${config.services.gollum.stateDir}/.ssh/id_ed25519";
owner = { name = "gollum"; }; owner = { name = "gollum"; };
source-path = "${<secrets/gollum.id_ed25519>}"; source-path = "${config.krebs.secret.directory}/gollum.id_ed25519";
}; };
security.sudo.extraConfig = '' security.sudo.extraConfig = ''

View file

@ -20,14 +20,14 @@ let
}; };
dkim = mkOption { dkim = mkOption {
type = types.listOf (types.submodule ({ config, ... }: { type = types.listOf (types.submodule (dkim: {
options = { options = {
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
}; };
private_key = mkOption { private_key = mkOption {
type = types.absolute-pathname; type = types.absolute-pathname;
default = toString <secrets> + "/${config.domain}.dkim.priv"; default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv";
defaultText = "secrets/domain.dkim.priv"; defaultText = "secrets/domain.dkim.priv";
}; };
selector = mkOption { selector = mkOption {

View file

@ -22,7 +22,7 @@ let
}; };
ssh-identity-file = mkOption { ssh-identity-file = mkOption {
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
default = toString <secrets/github-hosts-sync.ssh.id_ed25519>; default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519";
defaultText = "secrets/github-hosts-sync.ssh.id_ed25519"; defaultText = "secrets/github-hosts-sync.ssh.id_ed25519";
}; };
url = mkOption { url = mkOption {

View file

@ -123,7 +123,7 @@ let
privateKeyFile = mkOption { privateKeyFile = mkOption {
type = types.absolute-pathname; type = types.absolute-pathname;
default = toString <secrets> + "/repo-sync.ssh.key"; default = "${config.krebs.secret.directory}/repo-sync.ssh.key";
defaultText = "secrets/repo-sync.ssh.key"; defaultText = "secrets/repo-sync.ssh.key";
}; };

View file

@ -14,12 +14,12 @@ in
sslCertificate = mkOption { sslCertificate = mkOption {
type = types.str; type = types.str;
description = "Certificate file to use for ssl"; description = "Certificate file to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.crt" ; default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ;
}; };
sslCertificateKey = mkOption { sslCertificateKey = mkOption {
type = types.str; type = types.str;
description = "Certificate key to use for ssl"; description = "Certificate key to use for ssl";
default = "${toString <secrets>}/tinc.krebsco.de.key"; default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
}; };
# in use: # in use:
# <secrets/tinc.krebsco.de.crt> # <secrets/tinc.krebsco.de.crt>

View file

@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
privkey = mkOption { privkey = mkOption {
type = types.absolute-pathname; type = types.absolute-pathname;
default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
defaultText = "secrets/netname.rsa_key.priv"; defaultText = "secrets/netname.rsa_key.priv";
}; };
@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
default = default =
if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
then null then null
else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
defaultText = "secrets/netname.ed25519_key.priv"; defaultText = "secrets/netname.ed25519_key.priv";
}; };