From 03d198631645ba3013e6e16bdf26a327cd51ccf7 Mon Sep 17 00:00:00 2001 From: sterni Date: Sun, 22 May 2022 23:51:49 +0200 Subject: feat(3p/agenix): update to 2022-05-16 and add to niv The new version brings the new secretsDir setting which means we no longer have to hardcode /run/agenix everywhere. Change-Id: I4b579d7233d315a780d7671869d5d06722d769fa Reviewed-on: https://cl.tvl.fyi/c/depot/+/5646 Tested-by: BuildkiteCI Reviewed-by: tazjin Reviewed-by: grfn Autosubmit: sterni --- ops/machines/whitby/default.nix | 8 ++++---- ops/modules/clbot.nix | 2 +- ops/modules/gerrit-queue.nix | 2 +- ops/modules/irccat.nix | 2 +- ops/modules/oauth2_proxy.nix | 2 +- ops/modules/owothia.nix | 2 +- ops/modules/panettone.nix | 2 +- ops/modules/smtprelay.nix | 2 +- ops/modules/tvl-buildkite.nix | 2 +- third_party/agenix/default.nix | 10 +++------- third_party/sources/sources.json | 12 ++++++++++++ users/grfn/bbbg/module.nix | 4 ++-- users/grfn/system/system/machines/mugwump.nix | 8 ++++---- 13 files changed, 33 insertions(+), 25 deletions(-) diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 5de8481878bf..7518e671795b 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -334,7 +334,7 @@ in flags = { gerrit_host = "cl.tvl.fyi:29418"; gerrit_ssh_auth_username = "clbot"; - gerrit_ssh_auth_key = "/run/agenix/clbot-ssh"; + gerrit_ssh_auth_key = config.age.secretsDir + "/clbot-ssh"; irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}"; irc_user = "tvlbot"; @@ -453,7 +453,7 @@ in services.nix-serve = { enable = true; port = 6443; - secretKeyFile = "/run/agenix/nix-cache-priv"; + secretKeyFile = config.age.secretsDir + "/nix-cache-priv"; bindAddress = "localhost"; }; @@ -599,7 +599,7 @@ in }; # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET. - systemd.services.grafana.serviceConfig.EnvironmentFile = "/run/agenix/grafana"; + systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secretsDir + "/grafana"; services.keycloak = { enable = true; @@ -613,7 +613,7 @@ in database = { type = "postgresql"; - passwordFile = "/run/agenix/keycloak-db"; + passwordFile = config.age.secretsDir + "/keycloak-db"; createLocally = false; }; }; diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index 958d321f81ad..84575ed07203 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -60,7 +60,7 @@ in secretsFile = mkOption { type = types.str; description = "EnvironmentFile from which to load secrets"; - default = "/run/agenix/clbot"; + default = config.age.secretsDir + "/clbot"; }; }; diff --git a/ops/modules/gerrit-queue.nix b/ops/modules/gerrit-queue.nix index 66d584cc3361..4468bcf1c5f9 100644 --- a/ops/modules/gerrit-queue.nix +++ b/ops/modules/gerrit-queue.nix @@ -24,7 +24,7 @@ in secretsFile = with lib; mkOption { description = "Path to a systemd EnvironmentFile containing secrets"; - default = "/run/agenix/gerrit-queue"; + default = config.age.secretsDir + "/gerrit-queue"; type = types.str; }; }; diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix index 05a783fd6614..0819c52a8de7 100644 --- a/ops/modules/irccat.nix +++ b/ops/modules/irccat.nix @@ -40,7 +40,7 @@ in secretsFile = lib.mkOption { type = lib.types.str; description = "Path to the secrets file to be merged"; - default = "/run/agenix/irccat"; + default = config.age.secretsDir + "/irccat"; }; }; diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix index 58b3a222a80d..e92572365d52 100644 --- a/ops/modules/oauth2_proxy.nix +++ b/ops/modules/oauth2_proxy.nix @@ -37,7 +37,7 @@ in secretsFile = lib.mkOption { type = lib.types.str; description = "EnvironmentFile from which to load secrets"; - default = "/run/agenix/oauth2_proxy"; + default = config.age.secretsDir + "/oauth2_proxy"; }; }; diff --git a/ops/modules/owothia.nix b/ops/modules/owothia.nix index d11fdd26ecbc..b9746c172090 100644 --- a/ops/modules/owothia.nix +++ b/ops/modules/owothia.nix @@ -12,7 +12,7 @@ in secretsFile = lib.mkOption { type = lib.types.str; description = "File path from which systemd should read secrets"; - default = "/run/agenix/owothia"; + default = config.age.secretsDir + "/owothia"; }; owoChance = lib.mkOption { diff --git a/ops/modules/panettone.nix b/ops/modules/panettone.nix index d57e53e75442..2576ab16c5bf 100644 --- a/ops/modules/panettone.nix +++ b/ops/modules/panettone.nix @@ -37,7 +37,7 @@ in by systemd's EnvironmentFile ''; type = types.str; - default = "/run/agenix/panettone"; + default = config.age.secretsDir + "/panettone"; }; irccatHost = mkOption { diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix index cfb185ecd107..f6ce2621757d 100644 --- a/ops/modules/smtprelay.nix +++ b/ops/modules/smtprelay.nix @@ -40,7 +40,7 @@ in secretsFile = mkOption { type = types.str; - default = "/run/agenix/smtprelay"; + default = config.age.secretsDir + "/smtprelay"; }; }; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index a6e7372a250a..c38687f80f71 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -40,7 +40,7 @@ in value = { inherit name; enable = true; - tokenPath = "/run/agenix/buildkite-agent-token"; + tokenPath = config.age.secretsDir + "/buildkite-agent-token"; hooks.post-command = "${buildkiteHooks}/bin/post-command"; runtimePackages = with pkgs; [ diff --git a/third_party/agenix/default.nix b/third_party/agenix/default.nix index cc7dfd90fb65..f80dda512c5b 100644 --- a/third_party/agenix/default.nix +++ b/third_party/agenix/default.nix @@ -1,12 +1,8 @@ -{ pkgs, ... }: +{ pkgs, depot, ... }: let - src = pkgs.fetchFromGitHub { - owner = "ryantm"; - repo = "agenix"; - rev = "52ea2f8c3231cc2b5302fa28c63588aacb77ea29"; - sha256 = "1sqgbriwmvxcmqp0zbk7873psk9g60a53fgrr9p0jafki5zzgvdx"; - }; + src = depot.third_party.sources.agenix; + agenix = import src { inherit pkgs; }; diff --git a/third_party/sources/sources.json b/third_party/sources/sources.json index aee4518a0d5f..f5c8754c17b7 100644 --- a/third_party/sources/sources.json +++ b/third_party/sources/sources.json @@ -1,4 +1,16 @@ { + "agenix": { + "branch": "main", + "description": "age-encrypted secrets for NixOS", + "homepage": "https://matrix.to/#/#agenix:nixos.org", + "owner": "ryantm", + "repo": "agenix", + "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", + "sha256": "1cfdd2ja56g8clllygf91il7dignr90ij1bl29g3kl7dl977dhl4", + "type": "tarball", + "url": "https://github.com/ryantm/agenix/archive/7e5e58b98c3dcbf497543ff6f22591552ebfe65b.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "emacs-overlay": { "branch": "master", "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ", diff --git a/users/grfn/bbbg/module.nix b/users/grfn/bbbg/module.nix index 7a49f7934a37..70bb2c77e4cf 100644 --- a/users/grfn/bbbg/module.nix +++ b/users/grfn/bbbg/module.nix @@ -64,7 +64,7 @@ in serviceConfig = { DynamicUser = true; Restart = "always"; - EnvironmentFile = "/run/agenix/bbbg"; + EnvironmentFile = config.age.secretsDir + "/bbbg"; }; environment = { @@ -88,7 +88,7 @@ in serviceConfig = { Type = "oneshot"; - EnvironmentFile = "/run/agenix/bbbg"; + EnvironmentFile = config.age.secretsDir + "/bbbg"; }; environment = { diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index c5b60284d40a..05b78ce51703 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -153,7 +153,7 @@ with lib; zone = "gws.fyi"; protocol = "cloudflare"; username = "root@gws.fyi"; - passwordFile = "/run/agenix/ddclient-password"; + passwordFile = config.age.secretsDir + "/ddclient-password"; quiet = true; }; @@ -161,7 +161,7 @@ with lib; security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; - credentialsFile = "/run/agenix/cloudflare"; + credentialsFile = config.age.secretsDir + "/cloudflare"; webroot = mkForce null; }; @@ -272,8 +272,8 @@ with lib; value = { inherit name; enable = true; - tokenPath = "/run/agenix/buildkite-token"; - privateSshKeyPath = "/run/agenix/buildkite-ssh-key"; + tokenPath = config.age.secretsDir + "/buildkite-token"; + privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key"; runtimePackages = with pkgs; [ docker nix -- cgit 1.4.1