SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 20:09:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Prefer File in option names over Path

Browse source
This commit is contained in:
SebastianStork 2026-02-24 13:27:24 +01:00
parent ff6db45c0e
commit ef2b10f22c
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
6 changed files with 18 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

4
external-hosts/fairphone/default.nix
View file

@ -15,8 +15,8 @@
services = { services = {
nebula = { nebula = {
publicKeyPath = toString ./keys/nebula.pub; publicKeyFile = ./keys/nebula.pub;
certificatePath = toString ./keys/nebula.crt; certificateFile = ./keys/nebula.crt;
}; };
syncthing = { syncthing = {

2
modules/home/programs/ssh.nix
View file

@ -8,7 +8,7 @@
{ {
options.custom.programs.ssh = { options.custom.programs.ssh = {
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
publicKeyPath = lib.mkOption { publicKeyFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/keys/ssh.pub"; default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/keys/ssh.pub";
}; };

18
modules/system/services/nebula/default.nix
View file

@ -27,19 +27,19 @@ in
++ lib.optional config.custom.services.syncthing.enable "syncthing"; ++ lib.optional config.custom.services.syncthing.enable "syncthing";
}; };
caCertificatePath = lib.mkOption { caCertificateFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = ./ca.crt; default = ./ca.crt;
}; };
publicKeyPath = lib.mkOption { publicKeyFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = "${self}/hosts/${netCfg.hostName}/keys/nebula.pub"; default = "${self}/hosts/${netCfg.hostName}/keys/nebula.pub";
}; };
certificatePath = lib.mkOption { certificateFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = "${self}/hosts/${netCfg.hostName}/keys/nebula.crt"; default = "${self}/hosts/${netCfg.hostName}/keys/nebula.crt";
}; };
privateKeyPath = lib.mkOption { privateKeyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path; type = lib.types.nullOr lib.types.path;
default = null; default = null;
}; };
@ -51,19 +51,19 @@ in
message = "`${netCfg.hostName}` is a Nebula lighthouse, but `underlay.isPublic` is not set. Lighthouses must be publicly reachable."; message = "`${netCfg.hostName}` is a Nebula lighthouse, but `underlay.isPublic` is not set. Lighthouses must be publicly reachable.";
}; };
sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyPath == null) { sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyFile == null) {
owner = config.users.users.nebula-mesh.name; owner = config.users.users.nebula-mesh.name;
restartUnits = [ "nebula@mesh.service" ]; restartUnits = [ "nebula@mesh.service" ];
}; };
environment.etc = { environment.etc = {
"nebula/ca.crt" = { "nebula/ca.crt" = {
source = cfg.caCertificatePath; source = cfg.caCertificateFile;
mode = "0440"; mode = "0440";
user = config.systemd.services."nebula@mesh".serviceConfig.User; user = config.systemd.services."nebula@mesh".serviceConfig.User;
}; };
"nebula/host.crt" = { "nebula/host.crt" = {
source = cfg.certificatePath; source = cfg.certificateFile;
mode = "0440"; mode = "0440";
user = config.systemd.services."nebula@mesh".serviceConfig.User; user = config.systemd.services."nebula@mesh".serviceConfig.User;
}; };
@ -75,8 +75,8 @@ in
ca = "/etc/nebula/ca.crt"; ca = "/etc/nebula/ca.crt";
cert = "/etc/nebula/host.crt"; cert = "/etc/nebula/host.crt";
key = key =
if (cfg.privateKeyPath != null) then if (cfg.privateKeyFile != null) then
cfg.privateKeyPath cfg.privateKeyFile
else else
config.sops.secrets."nebula/host-key".path; config.sops.secrets."nebula/host-key".path;

2
modules/system/services/sshd.nix
View file

@ -47,6 +47,6 @@ in
|> lib.filter (host: host.config |> lib.hasAttr "home-manager") |> lib.filter (host: host.config |> lib.hasAttr "home-manager")
|> lib.map (host: host.config.home-manager.users.seb.custom.programs.ssh) |> lib.map (host: host.config.home-manager.users.seb.custom.programs.ssh)
|> lib.filter (ssh: ssh.enable) |> lib.filter (ssh: ssh.enable)
|> lib.map (ssh: ssh.publicKeyPath); |> lib.map (ssh: ssh.publicKeyFile);
}; };
} }

4
scripts/nebula/recert-host.nix
View file

@ -15,8 +15,8 @@
address="$(nix eval --raw ".#allHosts.$host.config.custom.networking.overlay.cidr")" address="$(nix eval --raw ".#allHosts.$host.config.custom.networking.overlay.cidr")"
groups="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')" groups="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
ca_cert='modules/system/services/nebula/ca.crt' ca_cert='modules/system/services/nebula/ca.crt'
host_pub="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.publicKeyPath")" host_pub="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.publicKeyFile")"
host_cert="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.certificatePath")" host_cert="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.certificateFile")"
host_cert="''${host_cert#*-source/}" host_cert="''${host_cert#*-source/}"
if [[ $# -eq 2 ]]; then if [[ $# -eq 2 ]]; then

6
tests/infrastructure/default.nix
View file

@ -33,9 +33,9 @@
}; };
custom.services.nebula = { custom.services.nebula = {
caCertificatePath = ./keys/ca.crt; caCertificateFile = ./keys/ca.crt;
certificatePath = ./keys/${config.networking.hostName}.crt; certificateFile = ./keys/${config.networking.hostName}.crt;
privateKeyPath = ./keys/${config.networking.hostName}.key; privateKeyFile = ./keys/${config.networking.hostName}.key;
}; };
networking.extraHosts = lib.mkForce ""; networking.extraHosts = lib.mkForce "";