mirror of
https://github.com/SebastianStork/nixos-config.git
synced 2026-01-22 08:04:25 +01:00
Remove unneeded secret fallback paths
This commit is contained in:
parent
8a4ca50606
commit
dd03ad4fde
2 changed files with 21 additions and 28 deletions
|
|
@ -5,16 +5,18 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
|
backupServices = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
|
||||||
|
|
||||||
healthchecksEnable = (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { };
|
healthchecksEnable = (lib.filterAttrs (_: value: value.healthchecks.enable) backupServices) != { };
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.myConfig.resticBackup = lib.mkOption {
|
options.myConfig.resticBackup = lib.mkOption {
|
||||||
type = lib.types.attrsOf (
|
type = lib.types.attrsOf (
|
||||||
lib.types.submodule {
|
lib.types.submodule {
|
||||||
options = {
|
options = {
|
||||||
enable = lib.mkEnableOption "";
|
enable = lib.mkEnableOption "" // {
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
user = lib.mkOption {
|
user = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = config.users.users.root.name;
|
default = config.users.users.root.name;
|
||||||
|
|
@ -30,22 +32,12 @@ in
|
||||||
default = { };
|
default = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf (cfg != { }) {
|
config = lib.mkIf (backupServices != { }) {
|
||||||
systemd.tmpfiles.rules =
|
|
||||||
(lib.optionals (!config.myConfig.sops.enable) [
|
|
||||||
"z /run/secrets/restic/environment 440 root ${config.users.groups.backup.name} -"
|
|
||||||
"z /run/secrets/restic/password 440 root ${config.users.groups.backup.name} -"
|
|
||||||
"z /run/secrets/healthchecks-ping-key 440 root ${config.users.groups.backup.name} -"
|
|
||||||
])
|
|
||||||
++ lib.mapAttrsToList (
|
|
||||||
name: value: "d /var/cache/restic-backups-${name} 700 ${value.user} ${value.user} -"
|
|
||||||
) cfg;
|
|
||||||
|
|
||||||
users.groups.backup.members = builtins.filter (user: user != config.users.users.root.name) (
|
users.groups.backup.members = builtins.filter (user: user != config.users.users.root.name) (
|
||||||
lib.mapAttrsToList (_: value: value.user) cfg
|
lib.mapAttrsToList (_: value: value.user) backupServices
|
||||||
);
|
);
|
||||||
|
|
||||||
sops.secrets = lib.optionalAttrs config.myConfig.sops.enable (
|
sops.secrets =
|
||||||
let
|
let
|
||||||
resticPermissions = {
|
resticPermissions = {
|
||||||
mode = "440";
|
mode = "440";
|
||||||
|
|
@ -56,8 +48,12 @@ in
|
||||||
"restic/environment" = resticPermissions;
|
"restic/environment" = resticPermissions;
|
||||||
"restic/password" = resticPermissions;
|
"restic/password" = resticPermissions;
|
||||||
"healthchecks-ping-key" = lib.mkIf healthchecksEnable resticPermissions;
|
"healthchecks-ping-key" = lib.mkIf healthchecksEnable resticPermissions;
|
||||||
}
|
};
|
||||||
);
|
|
||||||
|
systemd.tmpfiles.rules = lib.mapAttrsToList (
|
||||||
|
name: value:
|
||||||
|
"d /var/cache/restic-backups-${name} 700 ${value.user} ${config.users.groups.backup.name} -"
|
||||||
|
) backupServices;
|
||||||
|
|
||||||
services.restic.backups = lib.mapAttrs (
|
services.restic.backups = lib.mapAttrs (
|
||||||
name: value:
|
name: value:
|
||||||
|
|
@ -66,9 +62,8 @@ in
|
||||||
inherit (value) user;
|
inherit (value) user;
|
||||||
initialize = true;
|
initialize = true;
|
||||||
repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}";
|
repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}";
|
||||||
environmentFile =
|
environmentFile = config.sops.secrets."restic/environment".path;
|
||||||
config.sops.secrets."restic/environment".path or "/run/secrets/restic/environment";
|
passwordFile = config.sops.secrets."restic/password".path;
|
||||||
passwordFile = config.sops.secrets."restic/password".path or "/run/secrets/restic/password";
|
|
||||||
pruneOpts = [
|
pruneOpts = [
|
||||||
"--keep-daily 7"
|
"--keep-daily 7"
|
||||||
"--keep-weekly 5"
|
"--keep-weekly 5"
|
||||||
|
|
@ -78,7 +73,7 @@ in
|
||||||
}
|
}
|
||||||
value.extraConfig
|
value.extraConfig
|
||||||
]
|
]
|
||||||
) cfg;
|
) backupServices;
|
||||||
|
|
||||||
systemd.services = lib.mkMerge [
|
systemd.services = lib.mkMerge [
|
||||||
(lib.mapAttrs' (
|
(lib.mapAttrs' (
|
||||||
|
|
@ -88,7 +83,7 @@ in
|
||||||
onSuccess = [ "healthcheck-ping@${name}-backup.service" ];
|
onSuccess = [ "healthcheck-ping@${name}-backup.service" ];
|
||||||
onFailure = [ "healthcheck-ping@${name}-backup_fail.service" ];
|
onFailure = [ "healthcheck-ping@${name}-backup_fail.service" ];
|
||||||
}
|
}
|
||||||
) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg))
|
) (lib.filterAttrs (_: value: value.healthchecks.enable) backupServices))
|
||||||
|
|
||||||
(lib.mkIf healthchecksEnable {
|
(lib.mkIf healthchecksEnable {
|
||||||
"healthcheck-ping@" = {
|
"healthcheck-ping@" = {
|
||||||
|
|
@ -97,7 +92,7 @@ in
|
||||||
scriptArgs = "%i";
|
scriptArgs = "%i";
|
||||||
script = ''
|
script = ''
|
||||||
${lib.getExe pkgs.curl} --fail --silent --show-error --max-time 10 --retry 5 https://hc-ping.com/$(cat ${
|
${lib.getExe pkgs.curl} --fail --silent --show-error --max-time 10 --retry 5 https://hc-ping.com/$(cat ${
|
||||||
config.sops.secrets."healthchecks-ping-key".path or "/run/secrets/healthchecks-ping-key"
|
config.sops.secrets."healthchecks-ping-key".path
|
||||||
})/$(echo $1 | tr _ /)
|
})/$(echo $1 | tr _ /)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -23,13 +23,11 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
sops.secrets = lib.optionalAttrs config.myConfig.sops.enable {
|
sops.secrets."tailscale-auth-key" = { };
|
||||||
"tailscale-auth-key" = { };
|
|
||||||
};
|
|
||||||
|
|
||||||
services.tailscale = {
|
services.tailscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
authKeyFile = config.sops.secrets."tailscale-auth-key".path or "/run/secrets/tailscale-auth-key";
|
authKeyFile = config.sops.secrets."tailscale-auth-key".path;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client";
|
useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client";
|
||||||
extraUpFlags = [ "--reset=true" ];
|
extraUpFlags = [ "--reset=true" ];
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue