chore: move generated secrets to separate directory

2023-07-31 12:42:46 +02:00 · 2023-07-31 12:42:46 +02:00 · 788e7e3fa7
commit 788e7e3fa7
parent eeac57d30d
27 changed files with 42 additions and 63 deletions
--- a/modules/config/secrets.nix
+++ b/modules/config/secrets.nix
@ -25,10 +25,10 @@
    # current system due to yubikey availability.
    forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
    hostPubkey = config.node.secretsDir + "/host.pub";
+    generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}";
  };

-  age.generators.dhparams.script = {pkgs, ...}: "${pkgs.openssl}/bin/openssl dhparam 4096";
-  age.generators.basic-auth.script = {
+  age.generators.basic-auth = {
    pkgs,
    lib,
    decrypt,
--- a/modules/meta/nginx.nix
+++ b/modules/meta/nginx.nix
@ -36,8 +36,7 @@ in {

  config = mkIf config.services.nginx.enable {
    age.secrets."dhparams.pem" = {
-      rekeyFile = config.node.secretsDir + "/dhparams.pem.age";
-      generator = "dhparams";
+      generator.script = "dhparams";
      mode = "440";
      group = "nginx";
    };
--- a/modules/meta/promtail.nix
+++ b/modules/meta/promtail.nix
@ -25,8 +25,7 @@ in {

  config = mkIf cfg.enable {
    age.secrets.promtail-loki-basic-auth-password = {
-      rekeyFile = config.node.secretsDir + "/promtail-loki-basic-auth-password.age";
-      generator = "alnum";
+      generator.script = "alnum";
      mode = "440";
      group = "promtail";
    };
--- a/modules/meta/telegraf.nix
+++ b/modules/meta/telegraf.nix
@ -16,7 +16,6 @@
    ;

  cfg = config.meta.telegraf;
-  nodeName = config.node.name;
 in {
  options.meta.telegraf = {
    enable = mkEnableOption (mdDoc "telegraf to push metrics to influx.");
@ -92,7 +91,7 @@ in {
          flush_interval = "20s";
          flush_jitter = "5s";
          precision = "1ms";
-          hostname = nodeName;
+          hostname = config.node.name;
          omit_hostname = false;
        };
        outputs = {
--- a/modules/optional/initrd-ssh.nix
+++ b/modules/optional/initrd-ssh.nix
@ -3,17 +3,7 @@
  pkgs,
  ...
 }: {
-  age.secrets.initrd_host_ed25519_key = {
-    rekeyFile = config.node.secretsDir + "/initrd_host_ed25519_key.age";
-    # Generate only an ssh-ed25519 private key
-    generator.script = {
-      pkgs,
-      lib,
-      ...
-    }: ''
-      (exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -f /proc/self/fd/3 <<<y >/dev/null 2>&1)
-    '';
-  };
+  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";

  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {