gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

secrets module overhaul, moving back to bitwarden, removed glauca dyndns

Browse source
This commit is contained in:
kat witch 2021-09-01 05:44:04 +01:00
parent 1391eabee4
commit 57b35ead89
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
26 changed files with 190 additions and 192 deletions
Download patch file Download diff file Expand all files Collapse all files

34
config/modules/home/secrets.nix
View file

@ -1,10 +1,18 @@
{ config, lib, nixos, ... }:
{ config, nixos, lib, ... }:
with lib;
let
secretType = types.submodule ({ name, ... }: {
options = {
path = mkOption { type = types.str; };
field = mkOption {
type = types.str;
default = "";
};
};
});
repoSecretType = types.submodule ({ name, ... }: {
options = {
source = mkOption {
type = types.path;
@ -14,20 +22,22 @@ let
};
};
});
cfg = config.kw.secrets;
in
{
options.kw = {
secrets = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
repoSecrets = mkOption {
type = types.nullOr (types.attrsOf secretType);
default = null;
secrets = {
variables = mkOption {
type = types.attrsOf secretType;
default = {};
};
repo = mkOption {
type = types.attrsOf repoSecretType;
default = {};
};
};
};
config = mkIf (config.kw.secrets != null) {
deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });
kw.repoSecrets = nixos.kw.repoSecrets;
config = {
kw.secrets.repo = nixos.kw.secrets.repo;
};
}

1
config/modules/meta/deploy.nix
View file

@ -22,7 +22,6 @@ let
modules = [
tfModule
"${toString sources.tf-nix}/modules"
./secrets.nix
];
};
in

31
config/modules/meta/secrets.nix
View file

@ -1,31 +0,0 @@
{ config, lib, ... }:
with lib;
{
options = let tf = config; in
{
variables = mkOption {
type = types.attrsOf (types.submodule ({ name, config, ... }: {
options.externalSecret = mkEnableOption "Is ths secret to be templated into a command provided?";
config = mkIf config.externalSecret {
type = "string";
value.shellCommand = "${tf.commandPrefix} ${tf.folderPrefix}${tf.folderDivider}${escapeShellArg name}";
sensitive = true;
};
}));
};
commandPrefix = mkOption {
type = types.nullOr types.str;
default = null;
};
folderPrefix = mkOption {
type = types.str;
default = "";
};
folderDivider = mkOption {
type = types.str;
default = "";
};
};
}

1
config/modules/nixos/default.nix
View file

@ -9,7 +9,6 @@
(import sources.anicca).modules.nixos
./deploy.nix
./monitoring.nix
./dyndns.nix
./secrets.nix
(sources.tf-nix + "/modules/nixos/secrets.nix")
(sources.tf-nix + "/modules/nixos/secrets-users.nix")

55
config/modules/nixos/dyndns.nix
View file

@ -1,55 +0,0 @@
{ config, pkgs, lib, tf, ... }:
with lib;
{
options = {
network.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
};
config = mkIf (false) {
kw.secrets = [
"hexdns-key"
"hexdns-secret"
"hexdns-host"
];
secrets.files.kat-glauca-dns = {
text = ''
user="${tf.variables.hexdns-key.ref}"
pass="${tf.variables.hexdns-secret.ref}"
hostname="${tf.variables.hexdns-host.ref}"
'';
};
systemd.services.kat-glauca-dns =
let updater = pkgs.writeShellScriptBin "glauca-dyndns" ''
#!/usr/bin/env bash
set -eu
ip4=$(${pkgs.curl}/bin/curl -s --ipv4 https://dns.glauca.digital/checkip)
ip6=$(${pkgs.curl}/bin/curl -s --ipv6 https://dns.glauca.digital/checkip)
source $passFile
echo "$ip4, $ip6"
${pkgs.curl}/bin/curl -u ''${user}:''${pass} --data-urlencode "hostname=''${hostname}" --data-urlencode "myip=''${ip4}" "https://dns.glauca.digital/nic/update"
echo ""
${pkgs.curl}/bin/curl -u ''${user}:''${pass} --data-urlencode "hostname=''${hostname}" --data-urlencode "myip=''${ip6}" "https://dns.glauca.digital/nic/update"
''; in
{
serviceConfig = {
ExecStart = "${updater}/bin/glauca-dyndns";
};
environment = { passFile = config.secrets.files.kat-glauca-dns.path; };
wantedBy = [ "default.target" ];
};
systemd.timers.kat-glauca-dns = {
timerConfig = {
Unit = "kat-glauca-dns.service";
OnBootSec = "5m";
OnUnitActiveSec = "1h";
};
wantedBy = [ "default.target" ];
};
};
}

9
config/modules/nixos/monitoring.nix
View file

@ -91,9 +91,12 @@ in
(mkIf cfg.server.enable {
network.firewall.private.tcp.ports = [ 9090 ];
kw.secrets = [
"grafana-admin-pass"
];
kw.secrets.variables = {
grafana-admin-pass = {
path = "services/grafana";
field = "admin";
};
};
secrets.files.grafana-admin-pass = {
text = "${tf.variables.grafana-admin-pass.ref}";

46
config/modules/nixos/secrets.nix
View file

@ -4,6 +4,15 @@ with lib;
let
secretType = types.submodule ({ name, ... }: {
options = {
path = mkOption { type = types.str; };
field = mkOption {
type = types.str;
default = "";
};
};
});
repoSecretType = types.submodule ({ name, ... }: {
options = {
source = mkOption {
type = types.path;
@ -13,19 +22,36 @@ let
};
};
});
cfg = config.kw.secrets;
in
{
options.kw = {
secrets = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
repoSecrets = mkOption {
type = types.nullOr (types.attrsOf secretType);
default = null;
secrets = {
command = mkOption {
type = types.str;
};
variables = mkOption {
type = types.attrsOf secretType;
default = {};
};
repo = mkOption {
type = types.attrsOf repoSecretType;
default = {};
};
};
};
config = mkIf (config.kw.secrets != null) {
deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });
};
config = lib.mkMerge [
{
kw.secrets.variables = lib.mkMerge (mapAttrsToList (username: user: user.kw.secrets.variables) config.home-manager.users);
}
(mkIf (cfg.variables != {}) {
deploy.tf.variables = mapAttrs' (name: content:
nameValuePair name ({
value.shellCommand = "${cfg.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}";
type = "string";
sensitive = true;
})
) cfg.variables;
})
];
}