secrets: cleanup activation scripts
This commit is contained in:
@@ -13,11 +13,13 @@
|
|||||||
# Configure all agenix secrets
|
# Configure all agenix secrets
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
# ZFS encryption key
|
# ZFS encryption key
|
||||||
|
# path is set to /etc/zfs-key to match the ZFS dataset keylocation property
|
||||||
zfs-key = {
|
zfs-key = {
|
||||||
file = ../secrets/zfs-key.age;
|
file = ../secrets/zfs-key.age;
|
||||||
mode = "0400";
|
mode = "0400";
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "root";
|
group = "root";
|
||||||
|
path = "/etc/zfs-key";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Secureboot keys archive
|
# Secureboot keys archive
|
||||||
@@ -53,9 +55,9 @@
|
|||||||
|
|
||||||
slskd_env = {
|
slskd_env = {
|
||||||
file = ../secrets/slskd_env.age;
|
file = ../secrets/slskd_env.age;
|
||||||
mode = "0400";
|
mode = "0500";
|
||||||
owner = "root";
|
owner = config.services.slskd.user;
|
||||||
group = "root";
|
group = config.services.slskd.group;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Network configuration
|
# Network configuration
|
||||||
|
|||||||
@@ -4,24 +4,7 @@
|
|||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
|
||||||
# DO NOT CHANGE
|
|
||||||
# path is set via a zfs property
|
|
||||||
zfs-key = "/etc/zfs-key";
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
system.activationScripts = {
|
|
||||||
# Copy decrypted ZFS key from agenix to expected location
|
|
||||||
# /etc is on tmpfs due to impermanence, so no persistent storage risk
|
|
||||||
"zfs-key".text = ''
|
|
||||||
#!/bin/sh
|
|
||||||
rm -f ${zfs-key} || true
|
|
||||||
cp ${config.age.secrets.zfs-key.path} ${zfs-key}
|
|
||||||
chmod 0400 ${zfs-key}
|
|
||||||
chown root:root ${zfs-key}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.zfs.package = pkgs.zfs;
|
boot.zfs.package = pkgs.zfs;
|
||||||
boot.initrd.kernelModules = [ "zfs" ];
|
boot.initrd.kernelModules = [ "zfs" ];
|
||||||
|
|
||||||
|
|||||||
@@ -6,9 +6,6 @@
|
|||||||
username,
|
username,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
|
||||||
slskd_env = "/etc/slskd_env";
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
(lib.serviceMountWithZpool "slskd" "" [
|
(lib.serviceMountWithZpool "slskd" "" [
|
||||||
@@ -26,20 +23,10 @@ in
|
|||||||
|
|
||||||
users.groups."music" = { };
|
users.groups."music" = { };
|
||||||
|
|
||||||
system.activationScripts = {
|
|
||||||
"skskd_env".text = ''
|
|
||||||
#!/bin/sh
|
|
||||||
rm -fr ${slskd_env} || true
|
|
||||||
cp ${config.age.secrets.slskd_env.path} ${slskd_env}
|
|
||||||
chmod 0500 ${slskd_env}
|
|
||||||
chown ${config.services.slskd.user}:${config.services.slskd.group} ${slskd_env}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
services.slskd = {
|
services.slskd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = null; # null so we don't use nginx reverse proxy
|
domain = null; # null so we don't use nginx reverse proxy
|
||||||
environmentFile = slskd_env;
|
environmentFile = config.age.secrets.slskd_env.path;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
web = {
|
web = {
|
||||||
|
|||||||
Reference in New Issue
Block a user