secrets: move all the secrets under module/

Refactor a bit the configuration, which should simplify the management and usage of secrets from now on.
author: Franck Cuny <franck@fcuny.net> 2022-04-10 14:44:33 -0700
committer: Franck Cuny <franck@fcuny.net> 2022-04-10 14:44:33 -0700
commit: 6a5cb9b7544168e7136ab2dbd833c9fc63020db7 (patch)
tree: 88db9fe9f436648acba60ffea98fd47942343b74 /modules/services
parent: add a module for backup with restic (diff)
download: world-6a5cb9b7544168e7136ab2dbd833c9fc63020db7.tar.gz
4 files changed, 15 insertions, 26 deletions
diff --git a/modules/services/backup/default.nix b/modules/services/backup/default.nix
index 52378d3..f74b5f9 100644
--- a/modules/services/backup/default.nix
+++ b/modules/services/backup/default.nix
@@ -11,7 +11,7 @@ in {
     };
 
     passwordFile = mkOption {
-      type = types.str;
+      type = types.path;
       example = "/var/lib/restic/password.txt";
       description = "Read the repository's password from this path";
     };
@@ -70,11 +70,10 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    services.restic.backups = {
+    services.restic.backups.system = {
       # Take care of included and excluded files
       paths = cfg.paths;
-      extraBackupArgs = [ "--verbose=2" ]
-        ++ lib.optional (builtins.length cfg.exclude != 0) excludeArg;
+      extraBackupArgs = [ "--verbose=2" ];
       # Take care of creating the repository if it doesn't exist
       initialize = true;
       inherit (cfg) passwordFile pruneOpts timerConfig repository;
diff --git a/modules/services/rclone/default.nix b/modules/services/rclone/default.nix
index 1ccf5df..1d32aac 100644
--- a/modules/services/rclone/default.nix
+++ b/modules/services/rclone/default.nix
@@ -1,16 +1,13 @@
 { config, pkgs, lib, ... }:
-let cfg = config.my.services.rclone;
+let
+  cfg = config.my.services.rclone;
+  secrets = config.age.secrets;
 in {
   options.my.services.rclone = with lib; {
     enable = mkEnableOption "rclone backup service";
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.rclone-gcs-sa.file =
-      ../../../secrets/rclone/gcs_service_account.json.age;
-
-    age.secrets.rclone-config.file = ../../../secrets/rclone/config.ini.age;
-
     systemd = {
       packages = [ pkgs.rclone ];
       timers.rclone-sync = {
@@ -22,8 +19,11 @@ in {
       services.rclone-sync = {
         description = "synchronize restic repository to GCS";
         serviceConfig = let
-          rcloneOptions =
-            "--config=${config.age.secrets.rclone-config.path} --gcs-service-account-file=${config.age.secrets.rclone-gcs-sa.path} --fast-list --verbose";
+          rcloneOptions = "--config=${
+              secrets."rclone/gcs_service_account.json".path
+            } --gcs-service-account-file=${
+              secrets."rclone/config.ini".path
+            } --fast-list --verbose";
         in {
           Type = "oneshot";
           ExecStart = [
diff --git a/modules/services/traefik/default.nix b/modules/services/traefik/default.nix
index d6a8c8c..a5cff3d 100644
--- a/modules/services/traefik/default.nix
+++ b/modules/services/traefik/default.nix
@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.my.services.traefik;
+  secrets = config.age.secrets;
   domainPublic = "fcuny.net";
   domainPrivate = "fcuny.xyz";
   mkServiceConfig = name: url: domain: certResolver: {
@@ -22,11 +23,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.traefik_gcp_sa = {
-      file = ../../../secrets/traefik/gcp_service_account.json.age;
-      owner = "traefik";
-    };
-
     services.traefik = {
       enable = true;
 
@@ -94,7 +90,7 @@ in {
     ];
 
     systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
-      config.age.secrets.traefik_gcp_sa.path;
+      secrets."traefik/gcp_service_account.json".path;
     systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/services/unifi/default.nix b/modules/services/unifi/default.nix
index c36860a..ee5ec6d 100644
--- a/modules/services/unifi/default.nix
+++ b/modules/services/unifi/default.nix
@@ -2,6 +2,7 @@
 
 let
   cfg = config.my.services.unifi;
+  secrets = config.age.secrets;
   allowedRules = {
     # https://help.ubnt.com/hc/en-us/articles/218506997
     allowedTCPPorts = [
@@ -33,20 +34,13 @@ in {
       unifiPackage = pkgs.unifiStable;
     };
 
-    age.secrets.unifi-read-only = {
-      file = ../../../secrets/unifi/unifi-poller.age;
-      mode = "0400";
-      owner = "unifi-poller";
-    };
-
     services.unifi-poller = {
       enable = true;
 
       unifi.defaults = {
         url = "https://127.0.0.1:8443";
         user = "unifipoller";
-        pass = config.age.secrets.unifi-read-only.path;
-
+        pass = secrets."unifi/unifi-poller".path;
         verify_ssl = false;
       };
author	Franck Cuny <franck@fcuny.net>	2022-04-10 14:44:33 -0700
committer	Franck Cuny <franck@fcuny.net>	2022-04-10 14:44:33 -0700
commit	6a5cb9b7544168e7136ab2dbd833c9fc63020db7 (patch)
tree	88db9fe9f436648acba60ffea98fd47942343b74 /modules/services
parent	add a module for backup with restic (diff)
download	world-6a5cb9b7544168e7136ab2dbd833c9fc63020db7.tar.gz