diff options
| -rw-r--r-- | ops/machines/whitby/default.nix | 8 | ||||
| -rw-r--r-- | ops/modules/clbot.nix | 2 | ||||
| -rw-r--r-- | ops/modules/gerrit-queue.nix | 2 | ||||
| -rw-r--r-- | ops/modules/irccat.nix | 2 | ||||
| -rw-r--r-- | ops/modules/oauth2_proxy.nix | 2 | ||||
| -rw-r--r-- | ops/modules/owothia.nix | 2 | ||||
| -rw-r--r-- | ops/modules/panettone.nix | 2 | ||||
| -rw-r--r-- | ops/modules/smtprelay.nix | 2 | ||||
| -rw-r--r-- | ops/modules/tvl-buildkite.nix | 2 | ||||
| -rw-r--r-- | third_party/agenix/default.nix | 10 | ||||
| -rw-r--r-- | third_party/sources/sources.json | 12 | ||||
| -rw-r--r-- | users/grfn/bbbg/module.nix | 4 | ||||
| -rw-r--r-- | users/grfn/system/system/machines/mugwump.nix | 8 |
13 files changed, 33 insertions, 25 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 5de8481878..7518e67179 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -334,7 +334,7 @@ in flags = { gerrit_host = "cl.tvl.fyi:29418"; gerrit_ssh_auth_username = "clbot"; - gerrit_ssh_auth_key = "/run/agenix/clbot-ssh"; + gerrit_ssh_auth_key = config.age.secretsDir + "/clbot-ssh"; irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}"; irc_user = "tvlbot"; @@ -453,7 +453,7 @@ in services.nix-serve = { enable = true; port = 6443; - secretKeyFile = "/run/agenix/nix-cache-priv"; + secretKeyFile = config.age.secretsDir + "/nix-cache-priv"; bindAddress = "localhost"; }; @@ -599,7 +599,7 @@ in }; # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. - systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana"; + systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secretsDir + "/grafana"; services.keycloak = { enable = true; @@ -613,7 +613,7 @@ in database = { type = "postgresql"; - passwordFile = "/run/agenix/keycloak-db"; + passwordFile = config.age.secretsDir + "/keycloak-db"; createLocally = false; }; }; diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index 958d321f81..84575ed072 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -60,7 +60,7 @@ in secretsFile = mkOption { type = types.str; description = "EnvironmentFile from which to load secrets"; - default = "/run/agenix/clbot"; + default = config.age.secretsDir + "/clbot"; }; }; diff --git a/ops/modules/gerrit-queue.nix b/ops/modules/gerrit-queue.nix index 66d584cc33..4468bcf1c5 100644 --- a/ops/modules/gerrit-queue.nix +++ b/ops/modules/gerrit-queue.nix @@ -24,7 +24,7 @@ in secretsFile = with lib; mkOption { description = "Path to a systemd EnvironmentFile containing secrets"; - default = "/run/agenix/gerrit-queue"; + default = config.age.secretsDir + "/gerrit-queue"; type = types.str; }; }; diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index 05a783fd66..0819c52a8d 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -40,7 +40,7 @@ in secretsFile = lib.mkOption { type = lib.types.str; description = "Path to the secrets file to be merged"; - default = "/run/agenix/irccat"; + default = config.age.secretsDir + "/irccat"; }; }; diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix index 58b3a222a8..e92572365d 100644 --- a/ops/modules/oauth2_proxy.nix +++ b/ops/modules/oauth2_proxy.nix @@ -37,7 +37,7 @@ in secretsFile = lib.mkOption { type = lib.types.str; description = "EnvironmentFile from which to load secrets"; - default = "/run/agenix/oauth2_proxy"; + default = config.age.secretsDir + "/oauth2_proxy"; }; }; diff --git a/ops/modules/owothia.nix b/ops/modules/owothia.nix index d11fdd26ec..b9746c1720 100644 --- a/ops/modules/owothia.nix +++ b/ops/modules/owothia.nix @@ -12,7 +12,7 @@ in secretsFile = lib.mkOption { type = lib.types.str; description = "File path from which systemd should read secrets"; - default = "/run/agenix/owothia"; + default = config.age.secretsDir + "/owothia"; }; owoChance = lib.mkOption { diff --git a/ops/modules/panettone.nix b/ops/modules/panettone.nix index d57e53e754..2576ab16c5 100644 --- a/ops/modules/panettone.nix +++ b/ops/modules/panettone.nix @@ -37,7 +37,7 @@ in by systemd's EnvironmentFile ''; type = types.str; - default = "/run/agenix/panettone"; + default = config.age.secretsDir + "/panettone"; }; irccatHost = mkOption { diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix index cfb185ecd1..f6ce262175 100644 --- a/ops/modules/smtprelay.nix +++ b/ops/modules/smtprelay.nix @@ -40,7 +40,7 @@ in secretsFile = mkOption { type = types.str; - default = "/run/agenix/smtprelay"; + default = config.age.secretsDir + "/smtprelay"; }; }; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index a6e7372a25..c38687f80f 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -40,7 +40,7 @@ in value = { inherit name; enable = true; - tokenPath = "/run/agenix/buildkite-agent-token"; + tokenPath = config.age.secretsDir + "/buildkite-agent-token"; hooks.post-command = "${buildkiteHooks}/bin/post-command"; runtimePackages = with pkgs; [ diff --git a/third_party/agenix/default.nix b/third_party/agenix/default.nix index cc7dfd90fb..f80dda512c 100644 --- a/third_party/agenix/default.nix +++ b/third_party/agenix/default.nix @@ -1,12 +1,8 @@ -{ pkgs, ... }: +{ pkgs, depot, ... }: let - src = pkgs.fetchFromGitHub { - owner = "ryantm"; - repo = "agenix"; - rev = "52ea2f8c3231cc2b5302fa28c63588aacb77ea29"; - sha256 = "1sqgbriwmvxcmqp0zbk7873psk9g60a53fgrr9p0jafki5zzgvdx"; - }; + src = depot.third_party.sources.agenix; + agenix = import src { inherit pkgs; }; diff --git a/third_party/sources/sources.json b/third_party/sources/sources.json index aee4518a0d..f5c8754c17 100644 --- a/third_party/sources/sources.json +++ b/third_party/sources/sources.json @@ -1,4 +1,16 @@ { + "agenix": { + "branch": "main", + "description": "age-encrypted secrets for NixOS", + "homepage": "https://matrix.to/#/#agenix:nixos.org", + "owner": "ryantm", + "repo": "agenix", + "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", + "sha256": "1cfdd2ja56g8clllygf91il7dignr90ij1bl29g3kl7dl977dhl4", + "type": "tarball", + "url": "https://github.com/ryantm/agenix/archive/7e5e58b98c3dcbf497543ff6f22591552ebfe65b.tar.gz", + "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" + }, "emacs-overlay": { "branch": "master", "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ", diff --git a/users/grfn/bbbg/module.nix b/users/grfn/bbbg/module.nix index 7a49f7934a..70bb2c77e4 100644 --- a/users/grfn/bbbg/module.nix +++ b/users/grfn/bbbg/module.nix @@ -64,7 +64,7 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - EnvironmentFile = "/run/agenix/bbbg"; + EnvironmentFile = config.age.secretsDir + "/bbbg"; }; environment = { @@ -88,7 +88,7 @@ in serviceConfig = { Type = "oneshot"; - EnvironmentFile = "/run/agenix/bbbg"; + EnvironmentFile = config.age.secretsDir + "/bbbg"; }; environment = { diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index c5b60284d4..05b78ce517 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -153,7 +153,7 @@ with lib; zone = "gws.fyi"; protocol = "cloudflare"; username = "root@gws.fyi"; - passwordFile = "/run/agenix/ddclient-password"; + passwordFile = config.age.secretsDir + "/ddclient-password"; quiet = true; }; @@ -161,7 +161,7 @@ with lib; security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; - credentialsFile = "/run/agenix/cloudflare"; + credentialsFile = config.age.secretsDir + "/cloudflare"; webroot = mkForce null; }; @@ -272,8 +272,8 @@ with lib; value = { inherit name; enable = true; - tokenPath = "/run/agenix/buildkite-token"; - privateSshKeyPath = "/run/agenix/buildkite-ssh-key"; + tokenPath = config.age.secretsDir + "/buildkite-token"; + privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key"; runtimePackages = with pkgs; [ docker nix |