diff options
author | Franck Cuny <franck@fcuny.net> | 2022-04-10 14:44:33 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-04-10 14:44:33 -0700 |
commit | 6a5cb9b7544168e7136ab2dbd833c9fc63020db7 (patch) | |
tree | 88db9fe9f436648acba60ffea98fd47942343b74 /modules/services | |
parent | add a module for backup with restic (diff) | |
download | world-6a5cb9b7544168e7136ab2dbd833c9fc63020db7.tar.gz |
secrets: move all the secrets under module/
Refactor a bit the configuration, which should simplify the management and usage of secrets from now on.
Diffstat (limited to 'modules/services')
-rw-r--r-- | modules/services/backup/default.nix | 7 | ||||
-rw-r--r-- | modules/services/rclone/default.nix | 16 | ||||
-rw-r--r-- | modules/services/traefik/default.nix | 8 | ||||
-rw-r--r-- | modules/services/unifi/default.nix | 10 |
4 files changed, 15 insertions, 26 deletions
diff --git a/modules/services/backup/default.nix b/modules/services/backup/default.nix index 52378d3..f74b5f9 100644 --- a/modules/services/backup/default.nix +++ b/modules/services/backup/default.nix @@ -11,7 +11,7 @@ in { }; passwordFile = mkOption { - type = types.str; + type = types.path; example = "/var/lib/restic/password.txt"; description = "Read the repository's password from this path"; }; @@ -70,11 +70,10 @@ in { }; config = lib.mkIf cfg.enable { - services.restic.backups = { + services.restic.backups.system = { # Take care of included and excluded files paths = cfg.paths; - extraBackupArgs = [ "--verbose=2" ] - ++ lib.optional (builtins.length cfg.exclude != 0) excludeArg; + extraBackupArgs = [ "--verbose=2" ]; # Take care of creating the repository if it doesn't exist initialize = true; inherit (cfg) passwordFile pruneOpts timerConfig repository; diff --git a/modules/services/rclone/default.nix b/modules/services/rclone/default.nix index 1ccf5df..1d32aac 100644 --- a/modules/services/rclone/default.nix +++ b/modules/services/rclone/default.nix @@ -1,16 +1,13 @@ { config, pkgs, lib, ... }: -let cfg = config.my.services.rclone; +let + cfg = config.my.services.rclone; + secrets = config.age.secrets; in { options.my.services.rclone = with lib; { enable = mkEnableOption "rclone backup service"; }; config = lib.mkIf cfg.enable { - age.secrets.rclone-gcs-sa.file = - ../../../secrets/rclone/gcs_service_account.json.age; - - age.secrets.rclone-config.file = ../../../secrets/rclone/config.ini.age; - systemd = { packages = [ pkgs.rclone ]; timers.rclone-sync = { @@ -22,8 +19,11 @@ in { services.rclone-sync = { description = "synchronize restic repository to GCS"; serviceConfig = let - rcloneOptions = - "--config=${config.age.secrets.rclone-config.path} --gcs-service-account-file=${config.age.secrets.rclone-gcs-sa.path} --fast-list --verbose"; + rcloneOptions = "--config=${ + secrets."rclone/gcs_service_account.json".path + } --gcs-service-account-file=${ + secrets."rclone/config.ini".path + } --fast-list --verbose"; in { Type = "oneshot"; ExecStart = [ diff --git a/modules/services/traefik/default.nix b/modules/services/traefik/default.nix index d6a8c8c..a5cff3d 100644 --- a/modules/services/traefik/default.nix +++ b/modules/services/traefik/default.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.my.services.traefik; + secrets = config.age.secrets; domainPublic = "fcuny.net"; domainPrivate = "fcuny.xyz"; mkServiceConfig = name: url: domain: certResolver: { @@ -22,11 +23,6 @@ in { }; config = lib.mkIf cfg.enable { - age.secrets.traefik_gcp_sa = { - file = ../../../secrets/traefik/gcp_service_account.json.age; - owner = "traefik"; - }; - services.traefik = { enable = true; @@ -94,7 +90,7 @@ in { ]; systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE = - config.age.secrets.traefik_gcp_sa.path; + secrets."traefik/gcp_service_account.json".path; systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab"; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/services/unifi/default.nix b/modules/services/unifi/default.nix index c36860a..ee5ec6d 100644 --- a/modules/services/unifi/default.nix +++ b/modules/services/unifi/default.nix @@ -2,6 +2,7 @@ let cfg = config.my.services.unifi; + secrets = config.age.secrets; allowedRules = { # https://help.ubnt.com/hc/en-us/articles/218506997 allowedTCPPorts = [ @@ -33,20 +34,13 @@ in { unifiPackage = pkgs.unifiStable; }; - age.secrets.unifi-read-only = { - file = ../../../secrets/unifi/unifi-poller.age; - mode = "0400"; - owner = "unifi-poller"; - }; - services.unifi-poller = { enable = true; unifi.defaults = { url = "https://127.0.0.1:8443"; user = "unifipoller"; - pass = config.age.secrets.unifi-read-only.path; - + pass = secrets."unifi/unifi-poller".path; verify_ssl = false; }; |