secrets: refactor to centralize setup
This commit is contained in:
parent
53ae9598b2
commit
aade188ad5
SSH key fingerprint:
SHA256:oAMyvotlNFraMmZmr+p6AxnNfW/GioTs1pOn3V4tQ7A
3 changed files with 28 additions and 16 deletions
|
|
@ -59,13 +59,6 @@
|
|||
];
|
||||
};
|
||||
|
||||
age.secrets."inx.moe.pem".owner = "nginx";
|
||||
age.secrets."inx.moe.pem".group = "nginx";
|
||||
age.secrets."inx.moe.key".owner = "nginx";
|
||||
age.secrets."inx.moe.key".group = "nginx";
|
||||
age.secrets."vaultwarden".owner = "vaultwarden";
|
||||
age.secrets."vaultwarden".group = "vaultwarden";
|
||||
|
||||
services = {
|
||||
nginx =
|
||||
let
|
||||
|
|
|
|||
|
|
@ -35,8 +35,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
secrets = mkOpt (attrsOf path) { };
|
||||
|
||||
universe = {
|
||||
packages = mkOpt (listOf package) [ ];
|
||||
};
|
||||
|
|
@ -57,7 +55,5 @@ in
|
|||
environment.variables = mkAliasDefinitions options.env;
|
||||
|
||||
environment.persistence."/persist" = mkAliasDefinitions options.persist;
|
||||
|
||||
secrets = mapAttrs (n: v: v.path) config.age.secrets;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,13 +1,36 @@
|
|||
{ lib, self, config, ... }:
|
||||
let
|
||||
inherit (lib) filterAttrs nameValuePair hasSuffix removeSuffix mapAttrs mapAttrs' hasAttr mkIf mkMerge optionalAttrs;
|
||||
inherit (lib.our) mkOpt;
|
||||
inherit (lib.types) bool attrsOf path;
|
||||
|
||||
folder = ./.;
|
||||
toFile = name: "${folder}/${name}";
|
||||
filterSecrets = key: value: value == "regular" && lib.hasSuffix ".age" key;
|
||||
filtered = (lib.filterAttrs filterSecrets (builtins.readDir folder));
|
||||
secrets = lib.mapAttrs' (n: v: lib.nameValuePair (lib.removeSuffix ".age" n) { file = toFile n; }) filtered;
|
||||
filterSecrets = key: value: value == "regular" && hasSuffix ".age" key;
|
||||
filtered = (filterAttrs filterSecrets (builtins.readDir folder));
|
||||
secrets = mapAttrs' (n: v: nameValuePair (removeSuffix ".age" n) { file = toFile n; }) filtered;
|
||||
|
||||
setOwner = name: { owner = name; group = name; };
|
||||
in
|
||||
{
|
||||
options.modules.secrets.enable = lib.our.mkOpt lib.types.bool true;
|
||||
options = {
|
||||
modules.secrets.enable = mkOpt bool true;
|
||||
secrets = mkOpt (attrsOf path) { };
|
||||
};
|
||||
|
||||
config.age.secrets = lib.mkIf config.modules.secrets.enable secrets;
|
||||
config = mkMerge [
|
||||
{
|
||||
age.secrets = mkIf config.modules.secrets.enable secrets;
|
||||
secrets = mapAttrs (n: v: v.path) config.age.secrets;
|
||||
}
|
||||
|
||||
# Set ownership of keys
|
||||
(mkIf config.services.nginx.enable {
|
||||
age.secrets."inx.moe.pem" = setOwner "nginx";
|
||||
age.secrets."inx.moe.key" = setOwner "nginx";
|
||||
})
|
||||
(mkIf config.services.vaultwarden.enable {
|
||||
age.secrets."vaultwarden" = setOwner "vaultwarden";
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue