deluge: migrate auth file to vault

2022-04-09 20:59:11 +01:00 · 2022-04-09 20:59:11 +01:00 · 2536214734
commit 2536214734
parent a3ef78701e
3 changed files with 26 additions and 15 deletions
--- a/ops/nixos/lib/deluge.nix
+++ b/ops/nixos/lib/deluge.nix
@ -27,9 +27,19 @@ in {
      move_completed_paths_list = [ "/store/content/Anime" "/store/content/Films" "/store/content/TV" ];
      enabled_plugins = [ "Label" ];
    };
-    authFile = secrets.deluge.authFile;
+    authFile = config.my.vault.secrets.deluge-auth-file.path;

    web.enable = true;
    package = depot.pkgs.deluge;
  };
+
+  my.vault.secrets.deluge-auth-file = {
+    reloadOrRestartUnits = ["deluge.service"];
+    group = "deluge";
+    template = ''
+      {{ with secret "kv/apps/pomerium" }}
+      {{ .Data.data.authfile }}
+      {{ end }}
+    '';
+  };
 }
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -41,19 +41,14 @@
    path = "kv/misc-input";
  };

+  my.apps.deluge = {};
  my.apps.pomerium = {};
-  my.servers.etheroute-lon01.apps = [ "pomerium" ];
-
-  my.apps.sslrenew-raritan = {
-    policy = ''
-      # sslrenew-raritan is permitted to issue certificates.
-      path "acme/certs/*" {
-        capabilities = ["create"]
-      }
-    '';
-  };
-  my.servers.totoro.apps = [ "sslrenew-raritan" ];
-
+  my.apps.sslrenew-raritan.policy = ''
+    # sslrenew-raritan is permitted to issue certificates.
+    path "acme/certs/*" {
+      capabilities = ["create"]
+    }
+  '';
  my.apps.deployer.policy = ''
    # Allow reading nix-daemon secrets
    path "kv/data/apps/nix-daemon" {
@ -63,4 +58,8 @@
      capabilities = ["read"]
    }
  '';
+
+  my.servers.etheroute-lon01.apps = [ "pomerium" ];
+  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" ];
+  my.servers.clouvider-fra01.apps = [ "deluge" ];
 }
--- a/ops/vault/cfg/servers.nix
+++ b/ops/vault/cfg/servers.nix
@ -1,7 +1,7 @@
 { depot, lib, config, ... }:

 let
-  inherit (lib) mkOption nameValuePair mapToAttrs types mkEnableOption mapAttrs' filterAttrs mkMerge mapAttrsToList concatStringsSep;
+  inherit (lib) mkOption nameValuePair mapToAttrs types mkEnableOption mapAttrs' filterAttrs mkMerge mapAttrsToList concatStringsSep mkBefore;

  minutes = m: m * 60;

@ -25,7 +25,7 @@ let

      apps = mkOption {
        type = with types; listOf str;
-        default = [ "deployer" ];
+        default = [];
      };

      appPolicies = mkOption {
@ -63,6 +63,8 @@ let
        '';
      };
    };
+
+    config.apps = mkBefore [ "deployer" ];
  }));

  cfg = config.my.enabledServers;