From 1b42e0cd7299e146f73f101b717d0d9b132acf12 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 18 Jun 2023 12:55:18 +0200
Subject: [PATCH] fix: refactoring mistakes; and add generator for
 initrd_host_ed25519_key

---
 README.md                                        |  1 -
 hosts/common/initrd-ssh.nix                      | 13 +++++++++++--
 hosts/ward/microvms/grafana/secrets/host.pub     |  2 +-
 hosts/ward/microvms/kanidm/secrets/host.pub      |  2 +-
 hosts/ward/microvms/vaultwarden/default.nix      |  6 +++---
 hosts/ward/microvms/vaultwarden/secrets/host.pub |  2 +-
 modules/extra.nix                                |  2 +-
 modules/promtail.nix                             |  2 +-
 8 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index dac89e9..ab4a4ec 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,6 @@ This is my personal nix config.
 - create hosts/<name>
 - fill net.nix
 - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
-- generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...`
 - run generate-secrets
 
 #### Initial deploy
diff --git a/hosts/common/initrd-ssh.nix b/hosts/common/initrd-ssh.nix
index ee0122e..df4e932 100644
--- a/hosts/common/initrd-ssh.nix
+++ b/hosts/common/initrd-ssh.nix
@@ -4,8 +4,17 @@
   nodePath,
   ...
 }: {
-  # TODO generate script
-  age.secrets.initrd_host_ed25519_key.file = nodePath + "/secrets/initrd_host_ed25519_key.age";
+  age.secrets.initrd_host_ed25519_key = {
+    rekeyFile = nodePath + "/secrets/initrd_host_ed25519_key.age";
+    # Generate only an ssh-ed25519 private key
+    generator.script = {
+      pkgs,
+      lib,
+      ...
+    }: ''
+      (exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -f /proc/self/fd/3 <<<y >/dev/null 2>&1)
+    '';
+  };
 
   boot.initrd.network.enable = true;
   boot.initrd.network.ssh = {
diff --git a/hosts/ward/microvms/grafana/secrets/host.pub b/hosts/ward/microvms/grafana/secrets/host.pub
index e8bb16b..5a2447c 100644
--- a/hosts/ward/microvms/grafana/secrets/host.pub
+++ b/hosts/ward/microvms/grafana/secrets/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn1J13YFYrxYV39rdqDzTaS8r/U4iNMQmcz9Oi+D6oq
diff --git a/hosts/ward/microvms/kanidm/secrets/host.pub b/hosts/ward/microvms/kanidm/secrets/host.pub
index d0decaf..0c553bf 100644
--- a/hosts/ward/microvms/kanidm/secrets/host.pub
+++ b/hosts/ward/microvms/kanidm/secrets/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Waic9tzHF2gnD480ArdOyIdzdM4SN6bmh0ceVKqFo
diff --git a/hosts/ward/microvms/vaultwarden/default.nix b/hosts/ward/microvms/vaultwarden/default.nix
index b9e51fe..1cbe8d2 100644
--- a/hosts/ward/microvms/vaultwarden/default.nix
+++ b/hosts/ward/microvms/vaultwarden/default.nix
@@ -34,17 +34,17 @@ in {
         import common
 
         reverse_proxy {
-          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          to http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
           header_up X-Real-IP {remote_host}
         }
 
         reverse_proxy /notifications/hub {
-          to http://${config.services.vaultwarden.settings.WEBSOCKET_ADDRESS}:${toString config.services.vaultwarden.settings.WEBSOCKET_PORT}
+          to http://${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}
           header_up X-Real-IP {remote_host}
         }
 
         reverse_proxy /notifications/hub/negotiate {
-          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          to http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
           header_up X-Real-IP {remote_host}
         }
       '';
diff --git a/hosts/ward/microvms/vaultwarden/secrets/host.pub b/hosts/ward/microvms/vaultwarden/secrets/host.pub
index f227506..44f89e3 100644
--- a/hosts/ward/microvms/vaultwarden/secrets/host.pub
+++ b/hosts/ward/microvms/vaultwarden/secrets/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTYmtppqehM9LuH9PwBJvBxvbyvauTlqtMeRHEYYqW9
diff --git a/modules/extra.nix b/modules/extra.nix
index 71c371d..c9169ab 100644
--- a/modules/extra.nix
+++ b/modules/extra.nix
@@ -50,7 +50,7 @@ in {
 
     # Sensible defaults for caddy
     services.caddy = mkIf config.services.caddy.enable {
-      globalConfig = ''
+      extraConfig = ''
         (common) {
           encode zstd gzip
 
diff --git a/modules/promtail.nix b/modules/promtail.nix
index 36256ae..50fe674 100644
--- a/modules/promtail.nix
+++ b/modules/promtail.nix
@@ -48,7 +48,7 @@ in {
 
         clients = [
           {
-            basicAuthUser = nodeName;
+            basic_auth.username = nodeName;
             basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
             url = "https://${nodes.${cfg.proxy}.config.proxiedDomains.loki}/loki/api/v1/push";
           }