Make secret path configurable (mainly for container support).

'/secret/hostName' is still required.
2019-08-28 15:56:19 +02:00 · 2019-08-28 15:56:19 +02:00 · fd14a260c0
parent 7d70e000ce
commit fd14a260c0
8 changed files with 18 additions and 11 deletions
--- a/config/nix.nix
+++ b/config/nix.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:

 {
  nix = {
@ -9,7 +9,7 @@
    extraOptions = ''
      build-timeout = 86400  # 24 hours
    '';
-    binaryCachePublicKeys = [ (lib.fileContents /secret/hydra_cache.pub) ];
+    binaryCachePublicKeys = [ (lib.fileContents "${config.machine.secretPath}/hydra_cache.pub") ];
    trustedBinaryCaches = [
      "https://cache.nixos.org"
      "https://cache.ophanim.de"
--- a/config/users.nix
+++ b/config/users.nix
@ -18,8 +18,8 @@ let
        ++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
        ++ (if config.virtualisation.docker.enable then [ "docker"] else []);
      shell = "${pkgs.zsh}/bin/zsh";
-      passwordFile = "/secret/${user.name}";
-      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/${user.name}.pub" ] else [];
+      passwordFile = "${config.machine.secretPath}/${user.name}";
+      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "${config.machine.secretPath}/${user.name}.pub" ] else [];
    };
  };

--- a/options/machine.nix
+++ b/options/machine.nix
@ -34,6 +34,13 @@ with lib;
        The Machines HostName
      '';
    };
+    secretPath = mkOption {
+      type = types.string;
+      default = "/secret";
+      description = ''
+        Path to you systems secret folder containing files with sensitive information.
+      '';
+    };
    administrators = mkOption {
      type = types.listOf types.attrs;
      description = ''
--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -13,7 +13,7 @@ mkIf (elem "gitea" config.machine.services) {
      type = "mysql";
      user = "git";
      name = "gitea";
-      passwordFile = "/secret/gitea_db";
+      passwordFile = "${config.machine.secretPath}/gitea_db";
    };
    extraConfig = ''
      [repository]
--- a/services/hydra.nix
+++ b/services/hydra.nix
@ -36,7 +36,7 @@ mkIf (elem "hydra" config.machine.services) {
    # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
    extraConfig = ''
      max_output_size = 4294967296
-      store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
+      store_uri = file:///var/cache/hydra?secret-key=${config.machine.secretPath}/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
      # add ?local-nar-cache= to set nar cache location
      server_store_uri = https://cache.${config.machine.domain}
      binary_cache_public_uri https://cache.${config.machine.domain}
@ -48,7 +48,7 @@ mkIf (elem "hydra" config.machine.services) {
    enable = true;
    bindAddress = "0.0.0.0";
    port = 5000;
-    secretKeyFile = "/secret/hydra_cache";
+    secretKeyFile = "${config.machine.secretPath}/hydra_cache";
    extraParams = ''
 # Dont know how to change the store root yet...
 #      --user hydra-queue-runner
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -9,7 +9,7 @@ mkIf (elem "mailserver" config.machine.services) {
    mkUser = user: rec {
      name = "${user.name}@${domain}";
      value = {
-        hashedPassword = (fileContents "/secret/${user.name}.mail");
+        hashedPassword = (fileContents "${config.machine.secretPath}/${user.name}.mail");
        aliases = [ "${user.name}@mail.${domain}" ] ++ (flatten (map mkFqdnAlias user.aliases));
      };
    };
--- a/services/mariaDB.nix
+++ b/services/mariaDB.nix
@ -6,7 +6,7 @@ let
  cfg = config.services;
  mkInitialDatabases = servicename: if (cfg."${servicename}".enable && (cfg."${servicename}".database.type == "mysql")) then
    let 
-      password = (fileContents "/secret/${servicename}_db");
+      password = (fileContents "${config.machine.secretPath}/${servicename}_db");
      cfg = config.services."${servicename}".database;
    in {
      name = cfg.name;
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -11,12 +11,12 @@ mkIf (elem "nextcloud" config.machine.services) {
    maxUploadSize = "1024M";
    config = {
      adminuser = "derped";
-      adminpassFile = "/secret/nextcloud_admin";
+      adminpassFile = "${config.machine.secretPath}/nextcloud_admin";
      dbtype = "mysql";
      dbhost = "localhost";
      dbport = "3306";
      dbuser = "nextcloud";
-      dbpassFile = "/secret/nextcloud_db";
+      dbpassFile = "${config.machine.secretPath}/nextcloud_db";
      dbname = "nextcloud";
      dbtableprefix = "oc_";
    };