my over complex system configurations
dotfiles.isabelroses.com/
nixos
nix
flake
dotfiles
linux
various: mkSystemSecret -> mkSecret
+63
-63
+1
-1
modules/flake/lib/default.nix
+1
-1
modules/flake/lib/default.nix
+4
-4
modules/flake/lib/secrets.nix
+4
-4
modules/flake/lib/secrets.nix
···
15
15
# Type
16
16
17
17
```
18
-
mkSystemSecret :: (String -> String -> String -> String) -> AttrSet
18
+
mkSecret :: (String -> String -> String -> String) -> AttrSet
19
19
```
20
20
21
21
# Example
22
22
23
23
```nix
24
-
mkSystemSecret { file = "./my-secret.age"; }
24
+
mkSecret { file = "./my-secret.age"; }
25
25
=> {
26
26
file = "./my-secret.age";
27
27
owner = "root";
···
30
30
}
31
31
```
32
32
*/
33
-
mkSystemSecret =
33
+
mkSecret =
34
34
{
35
35
file,
36
36
owner ? "root",
···
53
53
// args';
54
54
in
55
55
{
56
-
inherit mkSystemSecret;
56
+
inherit mkSecret;
57
57
}
+2
-2
modules/nixos/services/attic.nix
+2
-2
modules/nixos/services/attic.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf;
9
-
inherit (self.lib) mkServiceOption mkSystemSecret;
9
+
inherit (self.lib) mkServiceOption mkSecret;
10
10
11
11
rdomain = config.networking.domain;
12
12
···
20
20
};
21
21
22
22
config = mkIf config.garden.services.attic.enable {
23
-
sops.secrets.attic-env = mkSystemSecret {
23
+
sops.secrets.attic-env = mkSecret {
24
24
file = "attic";
25
25
key = "env";
26
26
};
+2
-2
modules/nixos/services/blahaj.nix
+2
-2
modules/nixos/services/blahaj.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf;
9
-
inherit (self.lib) mkServiceOption mkSystemSecret;
9
+
inherit (self.lib) mkServiceOption mkSecret;
10
10
in
11
11
{
12
12
options.garden.services.blahaj = mkServiceOption "blahaj" { };
13
13
14
14
config = mkIf config.garden.services.blahaj.enable {
15
-
sops.secrets.blahaj-env = mkSystemSecret {
15
+
sops.secrets.blahaj-env = mkSecret {
16
16
file = "blahaj";
17
17
key = "env";
18
18
};
+2
-2
modules/nixos/services/borgbackup.nix
+2
-2
modules/nixos/services/borgbackup.nix
···
5
5
...
6
6
}:
7
7
let
8
-
inherit (self.lib) mkServiceOption mkSystemSecret;
8
+
inherit (self.lib) mkServiceOption mkSecret;
9
9
10
10
cfg = config.garden.services.borgbackup;
11
11
in
···
13
13
options.garden.services.borgbackup = mkServiceOption "borgbackup" { };
14
14
15
15
config = lib.mkIf cfg.enable {
16
-
sops.secrets.borg-sshkey = mkSystemSecret {
16
+
sops.secrets.borg-sshkey = mkSecret {
17
17
file = "borg";
18
18
key = "sshkey";
19
19
};
+8
-8
modules/nixos/services/buildbot.nix
+8
-8
modules/nixos/services/buildbot.nix
···
8
8
}:
9
9
let
10
10
inherit (lib) mkIf mkMerge;
11
-
inherit (self.lib) mkServiceOption mkSystemSecret;
11
+
inherit (self.lib) mkServiceOption mkSecret;
12
12
13
13
inherit (config.sops) secrets;
14
14
···
27
27
config = mkIf cfg.enable (mkMerge [
28
28
{
29
29
sops.secrets = {
30
-
buildbot-worker = mkSystemSecret {
30
+
buildbot-worker = mkSecret {
31
31
file = "buildbot";
32
32
key = "worker";
33
33
};
34
-
buildbot-workers = mkSystemSecret {
34
+
buildbot-workers = mkSecret {
35
35
file = "buildbot";
36
36
key = "workers";
37
37
};
38
-
buildbot-gh-webhook-secret = mkSystemSecret {
38
+
buildbot-gh-webhook-secret = mkSecret {
39
39
file = "buildbot";
40
40
key = "gh-webhook-secret";
41
41
};
42
-
buildbot-gh-private-key = mkSystemSecret {
42
+
buildbot-gh-private-key = mkSecret {
43
43
file = "buildbot";
44
44
key = "gh-private-key";
45
45
};
46
-
buildbot-gh-oauth = mkSystemSecret {
46
+
buildbot-gh-oauth = mkSecret {
47
47
file = "buildbot";
48
48
key = "gh-oauth";
49
49
};
···
93
93
94
94
(mkIf config.garden.services.attic.enable {
95
95
age.secrets = {
96
-
attic-prod-auth-token = mkSystemSecret { file = "attic/prod-auth-token"; };
97
-
attic-netrc = mkSystemSecret { file = "attic/netrc"; };
96
+
attic-prod-auth-token = mkSecret { file = "attic/prod-auth-token"; };
97
+
attic-netrc = mkSecret { file = "attic/netrc"; };
98
98
};
99
99
100
100
# Add netrc file for this machine to do its normal thing with the cache, as a machine.
+2
-2
modules/nixos/services/cloudflared.nix
+2
-2
modules/nixos/services/cloudflared.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf;
9
-
inherit (self.lib) mkServiceOption mkSystemSecret;
9
+
inherit (self.lib) mkServiceOption mkSecret;
10
10
11
11
cfg = config.garden.services.cloudflared;
12
12
in
···
16
16
};
17
17
18
18
config = mkIf cfg.enable {
19
-
sops.secrets.cloudflared-athena = mkSystemSecret {
19
+
sops.secrets.cloudflared-athena = mkSecret {
20
20
file = "cloudflare";
21
21
key = "athena";
22
22
};
+3
-3
modules/nixos/services/forgejo.nix
+3
-3
modules/nixos/services/forgejo.nix
···
10
10
rdomain = config.networking.domain;
11
11
12
12
inherit (lib) mkIf mkForce;
13
-
inherit (self.lib) mkServiceOption mkSystemSecret;
13
+
inherit (self.lib) mkServiceOption mkSecret;
14
14
in
15
15
{
16
16
options.garden.services.forgejo = mkServiceOption "forgejo" {
···
20
20
21
21
config = mkIf cfg.enable {
22
22
sops.secrets = {
23
-
mailserver-git-nohash = mkSystemSecret {
23
+
mailserver-git-nohash = mkSecret {
24
24
file = "mailserver";
25
25
key = "git-nohash";
26
26
owner = "forgejo";
27
27
group = "forgejo";
28
28
};
29
29
30
-
anubis-forgejo = mkSystemSecret {
30
+
anubis-forgejo = mkSecret {
31
31
file = "anubis";
32
32
key = "forgejo";
33
33
owner = "anubis";
+3
-3
modules/nixos/services/immich.nix
+3
-3
modules/nixos/services/immich.nix
···
9
9
rdomain = config.networking.domain;
10
10
11
11
inherit (lib) mkIf;
12
-
inherit (self.lib) mkServiceOption mkSystemSecret;
12
+
inherit (self.lib) mkServiceOption mkSecret;
13
13
in
14
14
{
15
15
options.garden.services.immich = mkServiceOption "immich" {
···
22
22
garden.services.postgresql.enable = true;
23
23
24
24
sops.secrets = {
25
-
immich-clientid = mkSystemSecret {
25
+
immich-clientid = mkSecret {
26
26
file = "immich";
27
27
key = "clientid";
28
28
};
29
-
borg-immich-pass = mkSystemSecret {
29
+
borg-immich-pass = mkSecret {
30
30
file = "borg";
31
31
key = "immich-passphrase";
32
32
};
+7
-7
modules/nixos/services/kanidm.nix
+7
-7
modules/nixos/services/kanidm.nix
···
10
10
}:
11
11
let
12
12
inherit (lib) mkIf;
13
-
inherit (self.lib) mkServiceOption mkSystemSecret;
13
+
inherit (self.lib) mkServiceOption mkSecret;
14
14
15
15
rdomain = config.networking.domain;
16
16
certs = config.security.acme.certs.${rdomain};
···
31
31
};
32
32
33
33
sops.secrets = {
34
-
kanidm-admin-password = mkSystemSecret {
34
+
kanidm-admin-password = mkSecret {
35
35
file = "kanidm";
36
36
key = "admin-password";
37
37
owner = "kanidm";
38
38
group = "kanidm";
39
39
mode = "440";
40
40
};
41
-
kanidm-idm-admin-password = mkSystemSecret {
41
+
kanidm-idm-admin-password = mkSecret {
42
42
file = "kanidm";
43
43
key = "idm-admin-password";
44
44
owner = "kanidm";
45
45
group = "kanidm";
46
46
mode = "440";
47
47
};
48
-
kanidm-oauth2-forgejo = mkSystemSecret {
48
+
kanidm-oauth2-forgejo = mkSecret {
49
49
file = "kanidm";
50
50
key = "oauth2-forgejo";
51
51
owner = "kanidm";
52
52
group = "kanidm";
53
53
mode = "440";
54
54
};
55
-
kanidm-oauth2-linkwarden = mkSystemSecret {
55
+
kanidm-oauth2-linkwarden = mkSecret {
56
56
file = "kanidm";
57
57
key = "oauth2-linkwarden";
58
58
owner = "kanidm";
59
59
group = "kanidm";
60
60
mode = "440";
61
61
};
62
-
kanidm-oauth2-wakapi = mkSystemSecret {
62
+
kanidm-oauth2-wakapi = mkSecret {
63
63
file = "kanidm";
64
64
key = "oauth2-linkwarden";
65
65
owner = "kanidm";
66
66
group = "kanidm";
67
67
mode = "440";
68
68
};
69
-
kanidm-oauth2-immich = mkSystemSecret {
69
+
kanidm-oauth2-immich = mkSecret {
70
70
file = "kanidm";
71
71
key = "oauth2-immich";
72
72
owner = "kanidm";
+3
-3
modules/nixos/services/lego.nix
+3
-3
modules/nixos/services/lego.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf;
9
-
inherit (self.lib) mkSystemSecret;
9
+
inherit (self.lib) mkSecret;
10
10
in
11
11
{
12
12
# FIXME: this seems to fail to fail on certain systems
···
29
29
30
30
config = mkIf config.garden.services.nginx.enable {
31
31
sops.secrets = {
32
-
lego-cloudflare = mkSystemSecret {
32
+
lego-cloudflare = mkSecret {
33
33
file = "lego";
34
34
key = "cloudflare";
35
35
owner = "nginx";
36
36
group = "nginx";
37
37
};
38
38
39
-
lego-bunny = mkSystemSecret {
39
+
lego-bunny = mkSecret {
40
40
file = "lego";
41
41
key = "bunny";
42
42
owner = "nginx";
+10
-10
modules/nixos/services/mailserver.nix
+10
-10
modules/nixos/services/mailserver.nix
···
8
8
}:
9
9
let
10
10
inherit (lib) mkIf mkForce;
11
-
inherit (self.lib) mkServiceOption mkSystemSecret;
11
+
inherit (self.lib) mkServiceOption mkSecret;
12
12
13
13
rdomain = config.networking.domain;
14
14
cfg = config.garden.services.mailserver;
···
25
25
};
26
26
27
27
sops.secrets = {
28
-
mailserver-isabel = mkSystemSecret {
28
+
mailserver-isabel = mkSecret {
29
29
file = "mailserver";
30
30
key = "isabel";
31
31
};
32
-
mailserver-jobs = mkSystemSecret {
32
+
mailserver-jobs = mkSecret {
33
33
file = "mailserver";
34
34
key = "jobs";
35
35
};
36
-
mailserver-robin = mkSystemSecret {
36
+
mailserver-robin = mkSecret {
37
37
file = "mailserver";
38
38
key = "robin";
39
39
};
40
-
mailserver-vaultwarden = mkSystemSecret {
40
+
mailserver-vaultwarden = mkSecret {
41
41
file = "mailserver";
42
42
key = "vaultwarden";
43
43
};
44
-
mailserver-database = mkSystemSecret {
44
+
mailserver-database = mkSecret {
45
45
file = "mailserver";
46
46
key = "database";
47
47
};
48
-
mailserver-grafana = mkSystemSecret {
48
+
mailserver-grafana = mkSecret {
49
49
file = "mailserver";
50
50
key = "grafana";
51
51
};
52
-
mailserver-git = mkSystemSecret {
52
+
mailserver-git = mkSecret {
53
53
file = "mailserver";
54
54
key = "git";
55
55
};
56
-
mailserver-noreply = mkSystemSecret {
56
+
mailserver-noreply = mkSecret {
57
57
file = "mailserver";
58
58
key = "noreply";
59
59
};
60
-
mailserver-spam = mkSystemSecret {
60
+
mailserver-spam = mkSecret {
61
61
file = "mailserver";
62
62
key = "spam";
63
63
};
+2
-2
modules/nixos/services/matrix.nix
+2
-2
modules/nixos/services/matrix.nix
···
7
7
}:
8
8
let
9
9
inherit (lib.modules) mkIf;
10
-
inherit (self.lib) mkServiceOption mkSystemSecret;
10
+
inherit (self.lib) mkServiceOption mkSecret;
11
11
12
12
rdomain = config.networking.domain;
13
13
···
35
35
};
36
36
37
37
config = mkIf cfg.enable {
38
-
sops.secrets.matrix = mkSystemSecret {
38
+
sops.secrets.matrix = mkSecret {
39
39
file = "matrix";
40
40
owner = "matrix-synapse";
41
41
};
+3
-3
modules/nixos/services/nixpkgs-prs-bot.nix
+3
-3
modules/nixos/services/nixpkgs-prs-bot.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf mkMerge mkEnableOption;
9
-
inherit (self.lib) mkServiceOption mkSystemSecret;
9
+
inherit (self.lib) mkServiceOption mkSecret;
10
10
11
11
cfg = config.garden.services.nixpkgs-prs-bot;
12
12
in
···
24
24
}
25
25
26
26
(mkIf cfg.fedi.enable {
27
-
sops.secrets.nixpkgs-prs-bot-fedi = mkSystemSecret {
27
+
sops.secrets.nixpkgs-prs-bot-fedi = mkSecret {
28
28
file = "nixpkgs-prs-bot";
29
29
key = "fedi";
30
30
};
···
36
36
})
37
37
38
38
(mkIf cfg.bsky.enable {
39
-
sops.secrets.nixpkgs-prs-bot-bsky = mkSystemSecret {
39
+
sops.secrets.nixpkgs-prs-bot-bsky = mkSecret {
40
40
file = "nixpkgs-prs-bot";
41
41
key = "bsky";
42
42
};
+3
-3
modules/nixos/services/pds/default.nix
+3
-3
modules/nixos/services/pds/default.nix
···
10
10
gkCfg = config.garden.services.pds-gatekeeper;
11
11
12
12
inherit (lib) mkIf concatStringsSep;
13
-
inherit (self.lib) mkServiceOption mkSystemSecret;
13
+
inherit (self.lib) mkServiceOption mkSecret;
14
14
in
15
15
{
16
16
options.garden.services = {
···
30
30
31
31
config = mkIf cfg.enable {
32
32
sops.secrets = {
33
-
pds-env = mkSystemSecret {
33
+
pds-env = mkSecret {
34
34
file = "pds";
35
35
owner = "pds";
36
36
group = "pds";
37
37
};
38
38
39
-
pds-dash = mkSystemSecret { file = "pds"; };
39
+
pds-dash = mkSecret { file = "pds"; };
40
40
};
41
41
42
42
services = {
+2
-2
modules/nixos/services/piper.nix
+2
-2
modules/nixos/services/piper.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf;
9
-
inherit (self.lib) mkServiceOption mkSystemSecret;
9
+
inherit (self.lib) mkServiceOption mkSecret;
10
10
11
11
rdomain = config.networking.domain;
12
12
···
20
20
21
21
config = mkIf cfg.enable {
22
22
sops.secrets = {
23
-
piper = mkSystemSecret {
23
+
piper = mkSecret {
24
24
file = "piper";
25
25
key = "env";
26
26
};
+2
-2
modules/nixos/services/vaultwarden.nix
+2
-2
modules/nixos/services/vaultwarden.nix
···
6
6
}:
7
7
let
8
8
inherit (lib) mkIf;
9
-
inherit (self.lib) mkServiceOption mkSystemSecret;
9
+
inherit (self.lib) mkServiceOption mkSecret;
10
10
11
11
rdomain = config.networking.domain;
12
12
cfg = config.garden.services.vaultwarden;
···
18
18
};
19
19
20
20
config = mkIf cfg.enable {
21
-
sops.secrets.vaultwarden-env = mkSystemSecret {
21
+
sops.secrets.vaultwarden-env = mkSecret {
22
22
file = "vaultwarden";
23
23
key = "env";
24
24
owner = "vaultwarden";
+4
-4
modules/nixos/services/wakapi.nix
+4
-4
modules/nixos/services/wakapi.nix
···
7
7
let
8
8
inherit (lib.modules) mkIf;
9
9
inherit (self.lib.services) mkServiceOption;
10
-
inherit (self.lib) mkSystemSecret;
10
+
inherit (self.lib) mkSecret;
11
11
12
12
rdomain = config.networking.domain;
13
13
cfg = config.garden.services.wakapi;
···
20
20
21
21
config = mkIf cfg.enable {
22
22
sops.secrets = {
23
-
wakapi = mkSystemSecret {
23
+
wakapi = mkSecret {
24
24
file = "wakapi";
25
25
owner = "wakapi";
26
26
group = "wakapi";
27
27
key = "password";
28
28
};
29
29
30
-
wakapi-mailer = mkSystemSecret {
30
+
wakapi-mailer = mkSecret {
31
31
file = "wakapi";
32
32
owner = "wakapi";
33
33
group = "wakapi";
34
34
key = "mailer";
35
35
};
36
36
37
-
wakapi-env = mkSystemSecret {
37
+
wakapi-env = mkSecret {
38
38
file = "wakapi";
39
39
owner = "wakapi";
40
40
group = "wakapi";