Make secret path configurable (mainly for container support).

'/secret/hostName' is still required.
This commit is contained in:
Kevin Baensch 2019-08-28 15:56:19 +02:00
parent 7d70e000ce
commit fd14a260c0
8 changed files with 18 additions and 11 deletions

View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ config, lib, ... }:
{
nix = {
@ -9,7 +9,7 @@
extraOptions = ''
build-timeout = 86400 # 24 hours
'';
binaryCachePublicKeys = [ (lib.fileContents /secret/hydra_cache.pub) ];
binaryCachePublicKeys = [ (lib.fileContents "${config.machine.secretPath}/hydra_cache.pub") ];
trustedBinaryCaches = [
"https://cache.nixos.org"
"https://cache.ophanim.de"

View file

@ -18,8 +18,8 @@ let
++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
++ (if config.virtualisation.docker.enable then [ "docker"] else []);
shell = "${pkgs.zsh}/bin/zsh";
passwordFile = "/secret/${user.name}";
openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/${user.name}.pub" ] else [];
passwordFile = "${config.machine.secretPath}/${user.name}";
openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "${config.machine.secretPath}/${user.name}.pub" ] else [];
};
};

View file

@ -34,6 +34,13 @@ with lib;
The Machines HostName
'';
};
secretPath = mkOption {
type = types.string;
default = "/secret";
description = ''
Path to you systems secret folder containing files with sensitive information.
'';
};
administrators = mkOption {
type = types.listOf types.attrs;
description = ''

View file

@ -13,7 +13,7 @@ mkIf (elem "gitea" config.machine.services) {
type = "mysql";
user = "git";
name = "gitea";
passwordFile = "/secret/gitea_db";
passwordFile = "${config.machine.secretPath}/gitea_db";
};
extraConfig = ''
[repository]

View file

@ -36,7 +36,7 @@ mkIf (elem "hydra" config.machine.services) {
# hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
extraConfig = ''
max_output_size = 4294967296
store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
store_uri = file:///var/cache/hydra?secret-key=${config.machine.secretPath}/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
# add ?local-nar-cache= to set nar cache location
server_store_uri = https://cache.${config.machine.domain}
binary_cache_public_uri https://cache.${config.machine.domain}
@ -48,7 +48,7 @@ mkIf (elem "hydra" config.machine.services) {
enable = true;
bindAddress = "0.0.0.0";
port = 5000;
secretKeyFile = "/secret/hydra_cache";
secretKeyFile = "${config.machine.secretPath}/hydra_cache";
extraParams = ''
# Dont know how to change the store root yet...
# --user hydra-queue-runner

View file

@ -9,7 +9,7 @@ mkIf (elem "mailserver" config.machine.services) {
mkUser = user: rec {
name = "${user.name}@${domain}";
value = {
hashedPassword = (fileContents "/secret/${user.name}.mail");
hashedPassword = (fileContents "${config.machine.secretPath}/${user.name}.mail");
aliases = [ "${user.name}@mail.${domain}" ] ++ (flatten (map mkFqdnAlias user.aliases));
};
};

View file

@ -6,7 +6,7 @@ let
cfg = config.services;
mkInitialDatabases = servicename: if (cfg."${servicename}".enable && (cfg."${servicename}".database.type == "mysql")) then
let
password = (fileContents "/secret/${servicename}_db");
password = (fileContents "${config.machine.secretPath}/${servicename}_db");
cfg = config.services."${servicename}".database;
in {
name = cfg.name;

View file

@ -11,12 +11,12 @@ mkIf (elem "nextcloud" config.machine.services) {
maxUploadSize = "1024M";
config = {
adminuser = "derped";
adminpassFile = "/secret/nextcloud_admin";
adminpassFile = "${config.machine.secretPath}/nextcloud_admin";
dbtype = "mysql";
dbhost = "localhost";
dbport = "3306";
dbuser = "nextcloud";
dbpassFile = "/secret/nextcloud_db";
dbpassFile = "${config.machine.secretPath}/nextcloud_db";
dbname = "nextcloud";
dbtableprefix = "oc_";
};