Make secret path configurable (mainly for container support).

'/secret/hostName' is still required.
This commit is contained in:
Kevin Baensch 2019-08-28 15:56:19 +02:00
parent 7d70e000ce
commit fd14a260c0
8 changed files with 18 additions and 11 deletions

View file

@ -1,4 +1,4 @@
{ lib, ... }: { config, lib, ... }:
{ {
nix = { nix = {
@ -9,7 +9,7 @@
extraOptions = '' extraOptions = ''
build-timeout = 86400 # 24 hours build-timeout = 86400 # 24 hours
''; '';
binaryCachePublicKeys = [ (lib.fileContents /secret/hydra_cache.pub) ]; binaryCachePublicKeys = [ (lib.fileContents "${config.machine.secretPath}/hydra_cache.pub") ];
trustedBinaryCaches = [ trustedBinaryCaches = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://cache.ophanim.de" "https://cache.ophanim.de"

View file

@ -18,8 +18,8 @@ let
++ (if config.services.printing.enable then [ "cups" "lp" ] else []) ++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
++ (if config.virtualisation.docker.enable then [ "docker"] else []); ++ (if config.virtualisation.docker.enable then [ "docker"] else []);
shell = "${pkgs.zsh}/bin/zsh"; shell = "${pkgs.zsh}/bin/zsh";
passwordFile = "/secret/${user.name}"; passwordFile = "${config.machine.secretPath}/${user.name}";
openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/${user.name}.pub" ] else []; openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "${config.machine.secretPath}/${user.name}.pub" ] else [];
}; };
}; };

View file

@ -34,6 +34,13 @@ with lib;
The Machines HostName The Machines HostName
''; '';
}; };
secretPath = mkOption {
type = types.string;
default = "/secret";
description = ''
Path to you systems secret folder containing files with sensitive information.
'';
};
administrators = mkOption { administrators = mkOption {
type = types.listOf types.attrs; type = types.listOf types.attrs;
description = '' description = ''

View file

@ -13,7 +13,7 @@ mkIf (elem "gitea" config.machine.services) {
type = "mysql"; type = "mysql";
user = "git"; user = "git";
name = "gitea"; name = "gitea";
passwordFile = "/secret/gitea_db"; passwordFile = "${config.machine.secretPath}/gitea_db";
}; };
extraConfig = '' extraConfig = ''
[repository] [repository]

View file

@ -36,7 +36,7 @@ mkIf (elem "hydra" config.machine.services) {
# hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
extraConfig = '' extraConfig = ''
max_output_size = 4294967296 max_output_size = 4294967296
store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br store_uri = file:///var/cache/hydra?secret-key=${config.machine.secretPath}/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
# add ?local-nar-cache= to set nar cache location # add ?local-nar-cache= to set nar cache location
server_store_uri = https://cache.${config.machine.domain} server_store_uri = https://cache.${config.machine.domain}
binary_cache_public_uri https://cache.${config.machine.domain} binary_cache_public_uri https://cache.${config.machine.domain}
@ -48,7 +48,7 @@ mkIf (elem "hydra" config.machine.services) {
enable = true; enable = true;
bindAddress = "0.0.0.0"; bindAddress = "0.0.0.0";
port = 5000; port = 5000;
secretKeyFile = "/secret/hydra_cache"; secretKeyFile = "${config.machine.secretPath}/hydra_cache";
extraParams = '' extraParams = ''
# Dont know how to change the store root yet... # Dont know how to change the store root yet...
# --user hydra-queue-runner # --user hydra-queue-runner

View file

@ -9,7 +9,7 @@ mkIf (elem "mailserver" config.machine.services) {
mkUser = user: rec { mkUser = user: rec {
name = "${user.name}@${domain}"; name = "${user.name}@${domain}";
value = { value = {
hashedPassword = (fileContents "/secret/${user.name}.mail"); hashedPassword = (fileContents "${config.machine.secretPath}/${user.name}.mail");
aliases = [ "${user.name}@mail.${domain}" ] ++ (flatten (map mkFqdnAlias user.aliases)); aliases = [ "${user.name}@mail.${domain}" ] ++ (flatten (map mkFqdnAlias user.aliases));
}; };
}; };

View file

@ -6,7 +6,7 @@ let
cfg = config.services; cfg = config.services;
mkInitialDatabases = servicename: if (cfg."${servicename}".enable && (cfg."${servicename}".database.type == "mysql")) then mkInitialDatabases = servicename: if (cfg."${servicename}".enable && (cfg."${servicename}".database.type == "mysql")) then
let let
password = (fileContents "/secret/${servicename}_db"); password = (fileContents "${config.machine.secretPath}/${servicename}_db");
cfg = config.services."${servicename}".database; cfg = config.services."${servicename}".database;
in { in {
name = cfg.name; name = cfg.name;

View file

@ -11,12 +11,12 @@ mkIf (elem "nextcloud" config.machine.services) {
maxUploadSize = "1024M"; maxUploadSize = "1024M";
config = { config = {
adminuser = "derped"; adminuser = "derped";
adminpassFile = "/secret/nextcloud_admin"; adminpassFile = "${config.machine.secretPath}/nextcloud_admin";
dbtype = "mysql"; dbtype = "mysql";
dbhost = "localhost"; dbhost = "localhost";
dbport = "3306"; dbport = "3306";
dbuser = "nextcloud"; dbuser = "nextcloud";
dbpassFile = "/secret/nextcloud_db"; dbpassFile = "${config.machine.secretPath}/nextcloud_db";
dbname = "nextcloud"; dbname = "nextcloud";
dbtableprefix = "oc_"; dbtableprefix = "oc_";
}; };