From 25362147344d324d7fa4981499d9ddb25840a63e Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 9 Apr 2022 20:59:11 +0100 Subject: [PATCH] deluge: migrate auth file to vault --- ops/nixos/lib/deluge.nix | 12 +++++++++++- ops/vault/cfg/config.nix | 23 +++++++++++------------ ops/vault/cfg/servers.nix | 6 ++++-- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/ops/nixos/lib/deluge.nix b/ops/nixos/lib/deluge.nix index c79504d650..93fb90370f 100644 --- a/ops/nixos/lib/deluge.nix +++ b/ops/nixos/lib/deluge.nix @@ -27,9 +27,19 @@ in { move_completed_paths_list = [ "/store/content/Anime" "/store/content/Films" "/store/content/TV" ]; enabled_plugins = [ "Label" ]; }; - authFile = secrets.deluge.authFile; + authFile = config.my.vault.secrets.deluge-auth-file.path; web.enable = true; package = depot.pkgs.deluge; }; + + my.vault.secrets.deluge-auth-file = { + reloadOrRestartUnits = ["deluge.service"]; + group = "deluge"; + template = '' + {{ with secret "kv/apps/pomerium" }} + {{ .Data.data.authfile }} + {{ end }} + ''; + }; } diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index df36033625..9d83202d21 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -41,19 +41,14 @@ path = "kv/misc-input"; }; + my.apps.deluge = {}; my.apps.pomerium = {}; - my.servers.etheroute-lon01.apps = [ "pomerium" ]; - - my.apps.sslrenew-raritan = { - policy = '' - # sslrenew-raritan is permitted to issue certificates. - path "acme/certs/*" { - capabilities = ["create"] - } - ''; - }; - my.servers.totoro.apps = [ "sslrenew-raritan" ]; - + my.apps.sslrenew-raritan.policy = '' + # sslrenew-raritan is permitted to issue certificates. + path "acme/certs/*" { + capabilities = ["create"] + } + ''; my.apps.deployer.policy = '' # Allow reading nix-daemon secrets path "kv/data/apps/nix-daemon" { @@ -63,4 +58,8 @@ capabilities = ["read"] } ''; + + my.servers.etheroute-lon01.apps = [ "pomerium" ]; + my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" ]; + my.servers.clouvider-fra01.apps = [ "deluge" ]; } diff --git a/ops/vault/cfg/servers.nix b/ops/vault/cfg/servers.nix index 948045b6b0..bb2d12e3fe 100644 --- a/ops/vault/cfg/servers.nix +++ b/ops/vault/cfg/servers.nix @@ -1,7 +1,7 @@ { depot, lib, config, ... }: let - inherit (lib) mkOption nameValuePair mapToAttrs types mkEnableOption mapAttrs' filterAttrs mkMerge mapAttrsToList concatStringsSep; + inherit (lib) mkOption nameValuePair mapToAttrs types mkEnableOption mapAttrs' filterAttrs mkMerge mapAttrsToList concatStringsSep mkBefore; minutes = m: m * 60; @@ -25,7 +25,7 @@ let apps = mkOption { type = with types; listOf str; - default = [ "deployer" ]; + default = []; }; appPolicies = mkOption { @@ -63,6 +63,8 @@ let ''; }; }; + + config.apps = mkBefore [ "deployer" ]; })); cfg = config.my.enabledServers;