diff --git a/flake/scripts.nix b/flake/scripts.nix index 55bb2d0..75f3ae3 100644 --- a/flake/scripts.nix +++ b/flake/scripts.nix @@ -13,8 +13,6 @@ _: { pkgs.jq ]; - excludeShellChecks = [ "SC2155" ]; - text = '' if [[ $# -ne 2 ]]; then echo "Usage: $0 " @@ -25,7 +23,7 @@ _: { destination="$2" root="/tmp/anywhere/$host" - impermanence=$(nix eval ".#nixosConfigurations.$host.config.custom.impermanence.enable") + impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.impermanence.enable")" if [ "$impermanence" = true ]; then ssh_dir="$root/persist/etc/ssh" else @@ -38,13 +36,16 @@ _: { ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q echo "==> Replacing old age key with new age key..." - new_age_key=$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub") + new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")" sed -i -E "s|(agePublicKey\s*=\s*\")[^\"]*(\";)|\1$new_age_key\2|" "hosts/$host/default.nix" echo "==> Updating SOPS secrets..." - export BW_SESSION=$(bw login --raw) - export SOPS_AGE_KEY=$(bw get item 'admin age-key' | jq -r '.notes') - export SOPS_CONFIG=$(nix build .#sops-config --print-out-paths) + BW_SESSION="$(bw login --raw)" + export BW_SESSION + SOPS_AGE_KEY="$(bw get item 'admin age-key' | jq -r '.notes')" + export SOPS_AGE_KEY + SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)" + export SOPS_CONFIG sops updatekeys --yes "hosts/$host/secrets.json" fi diff --git a/flake/sops.nix b/flake/sops.nix index 4875d53..1355c81 100644 --- a/flake/sops.nix +++ b/flake/sops.nix @@ -50,9 +50,12 @@ pkgs.jq ]; shellHook = '' - export BW_SESSION=$(bw login --raw) - export SOPS_AGE_KEY=$(bw get item 'admin age-key' | jq -r '.notes') - export SOPS_CONFIG=${self'.packages.sops-config} + BW_SESSION="$(bw login --raw)" + export BW_SESSION + SOPS_AGE_KEY="$(bw get item 'admin age-key' | jq -r '.notes')" + export SOPS_AGE_KEY + SOPS_CONFIG="${self'.packages.sops-config}" + export SOPS_CONFIG ''; }; }; diff --git a/hosts/shared.nix b/hosts/shared.nix index 22872c1..29c36f3 100644 --- a/hosts/shared.nix +++ b/hosts/shared.nix @@ -41,6 +41,8 @@ }; }; + systemd.enableStrictShellChecks = true; + time.timeZone = "Europe/Berlin"; i18n = { defaultLocale = "en_US.UTF-8"; diff --git a/modules/system/services/forgejo/default.nix b/modules/system/services/forgejo/default.nix index 0405b88..1db4a23 100644 --- a/modules/system/services/forgejo/default.nix +++ b/modules/system/services/forgejo/default.nix @@ -70,22 +70,33 @@ in }; }; - systemd = { - services.forgejo.preStart = - let - userCmd = "${lib.getExe config.services.forgejo.package} admin user"; - credentials = lib.concatStringsSep " " [ - "--username SebastianStork" - "--password \"$PASSWORD\"" - ]; - in - '' - PASSWORD="$(< ${config.sops.secrets."forgejo/admin-password".path})" + systemd.services.forgejo.preStart = + let + userCmd = "${lib.getExe config.services.forgejo.package} admin user"; + in + '' + username="SebastianStork" + password="$(cat ${config.sops.secrets."forgejo/admin-password".path})" - ${userCmd} create ${credentials} --email "sebastian.stork@pm.me" --admin \ - || ${userCmd} change-password ${credentials} --must-change-password=false - ''; - }; + create_user() { + ${userCmd} create \ + --username "$username" \ + --password "$password" \ + --email "sebastian.stork@pm.me" \ + --admin + } + + reset_password() { + ${userCmd} change-password \ + --username "$username" \ + --password "$password" \ + --must-change-password=false + } + + if ! create_user; then + reset_password + fi + ''; custom.services.resticBackups.forgejo = lib.mkIf cfg.doBackups { conflictingService = "forgejo.service"; diff --git a/modules/system/services/hedgedoc.nix b/modules/system/services/hedgedoc.nix index 0862a07..1681bd4 100644 --- a/modules/system/services/hedgedoc.nix +++ b/modules/system/services/hedgedoc.nix @@ -55,16 +55,16 @@ in }; # Ensure session-secret - systemd.services.hedgedoc.preStart = - let - sessionSecret = "/var/lib/hedgedoc/session-secret"; - in - lib.mkBefore '' - if [ ! -f ${sessionSecret} ]; then - ${lib.getExe pkgs.pwgen} -s 64 1 > ${sessionSecret} - fi - export SESSION_SECRET=$(cat ${sessionSecret}) - ''; + systemd.services.hedgedoc.preStart = lib.mkBefore '' + secret_file="/var/lib/hedgedoc/session-secret" + + if [ ! -f $secret_file ]; then + ${lib.getExe pkgs.pwgen} -s 64 1 > $secret_file + fi + + SESSION_SECRET="$(cat $secret_file)" + export SESSION_SECRET + ''; custom.services.resticBackups.hedgedoc = lib.mkIf cfg.doBackups { conflictingService = "hedgedoc.service"; diff --git a/modules/system/services/radicale.nix b/modules/system/services/radicale.nix index 1e16380..6547c63 100644 --- a/modules/system/services/radicale.nix +++ b/modules/system/services/radicale.nix @@ -49,8 +49,6 @@ in storage.hook = let - createBirthdayCalendar = "${inputs.radicale-birthday-calendar}/create_birthday_calendar.py"; - hookScript = pkgs.writeShellApplication { name = "radicale-git-hook"; runtimeInputs = [ @@ -64,9 +62,10 @@ in )) ]; text = '' - readonly username="$1" + username="$1" + create_birthday_calendar="${inputs.radicale-birthday-calendar}/create_birthday_calendar.py" - git status --porcelain | awk '{print $2}' | python3 ${createBirthdayCalendar} + git status --porcelain | awk '{print $2}' | python3 $create_birthday_calendar git add -A if ! git diff --cached --quiet; then diff --git a/modules/system/services/restic-backups/healthchecks.nix b/modules/system/services/restic-backups/healthchecks.nix index 95db5db..6064d49 100644 --- a/modules/system/services/restic-backups/healthchecks.nix +++ b/modules/system/services/restic-backups/healthchecks.nix @@ -31,9 +31,15 @@ in serviceConfig.Type = "oneshot"; scriptArgs = "%i"; script = '' - ${lib.getExe pkgs.curl} --fail --silent --show-error --max-time 10 --retry 5 https://hc-ping.com/$(cat ${ - config.sops.secrets."healthchecks/ping-key".path - })/$(echo $1 | tr _ /) + ping_key="$(cat ${config.sops.secrets."healthchecks/ping-key".path})" + slug="$(echo "$1" | tr _ /)" + + ${lib.getExe pkgs.curl} \ + --fail \ + --silent \ + --show-error \ + --max-time 10 \ + --retry 5 "https://hc-ping.com/$ping_key/$slug" ''; }; }