titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secrets: cleanup activation scripts

Browse Source
This commit is contained in:
Simon Gardling
2026-03-04 17:35:49 -05:00
parent bf3c949b70
commit b5be21ff8c
3 changed files with 6 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/age-secrets.nix
View File

@@ -13,11 +13,13 @@
# Configure all agenix secrets
age.secrets = {
# ZFS encryption key
# path is set to /etc/zfs-key to match the ZFS dataset keylocation property
zfs-key = {
file = ../secrets/zfs-key.age;
mode = "0400";
owner = "root";
group = "root";
path = "/etc/zfs-key";
};
# Secureboot keys archive
@@ -53,9 +55,9 @@
slskd_env = {
file = ../secrets/slskd_env.age;
mode = "0400";
owner = "root";
group = "root";
mode = "0500";
owner = config.services.slskd.user;
group = config.services.slskd.group;
};
# Network configuration

17
modules/zfs.nix
View File

@@ -4,24 +4,7 @@
pkgs,
...
}:
let
# DO NOT CHANGE
# path is set via a zfs property
zfs-key = "/etc/zfs-key";
in
{
system.activationScripts = {
# Copy decrypted ZFS key from agenix to expected location
# /etc is on tmpfs due to impermanence, so no persistent storage risk
"zfs-key".text = ''
#!/bin/sh
rm -f ${zfs-key} || true
cp ${config.age.secrets.zfs-key.path} ${zfs-key}
chmod 0400 ${zfs-key}
chown root:root ${zfs-key}
'';
};
boot.zfs.package = pkgs.zfs;
boot.initrd.kernelModules = [ "zfs" ];