ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

secrets-bao: inline configchanges, remove file, make configChanges attrs

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-05 22:43:44 -06:00
parent c1f5677520
commit bd8cff90ed
4 changed files with 269 additions and 257 deletions
Download patch file Download diff file Expand all files Collapse all files

31
flakes/secrets-bao/flake.nix
View file

@ -5,13 +5,32 @@
outputs = { ... }: outputs = { ... }:
{ {
nixosModules = { lib = {
default = { applyConfigChanges = secrets:
imports = [ let
(import ./nixos-module.nix) substitute = secretPath: value:
(import ./nixos-configchanges.nix) if builtins.isAttrs value then
]; builtins.mapAttrs (_: v: substitute secretPath v) value
else if builtins.isList value then
map (v: substitute secretPath v) value
else if builtins.isString value then
builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
else
value;
fragments = builtins.attrValues (builtins.mapAttrs (
name: s:
let
secretPath = s.path or ("/run/secrets/" + name);
in
substitute secretPath (s.configChanges or { })
) secrets);
in
builtins.foldl' (acc: v: acc // v) { } fragments;
}; };
nixosModules = {
default = import ./nixos-module.nix;
}; };
}; };
} }

10
flakes/secrets-bao/nixos-configchanges.nix
View file

@ -1,10 +0,0 @@
{ config, lib, ... }:
let
cfg = config.ringofstorms.secretsBao;
secrets = cfg.secrets or { };
in
{
config = lib.mkIf cfg.enable (
lib.mkMerge (lib.mapAttrsToList (_: s: s.configChanges { path = s.path; }) secrets)
);
}

14
flakes/secrets-bao/nixos-module.nix
View file

@ -371,9 +371,9 @@ in
}; };
configChanges = lib.mkOption { configChanges = lib.mkOption {
type = lib.types.functionTo lib.types.attrs; type = lib.types.attrs;
default = { path, ... }: { }; default = { };
description = "Function that returns extra config given { path = secret.path; }."; description = "Extra config applied when enabled; supports '$SECRET_PATH' string substitution.";
}; };
template = lib.mkOption { template = lib.mkOption {
@ -389,13 +389,15 @@ in
}; };
}; };
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (
lib.mkMerge [
{ {
assertions = lib.mapAttrsToList (name: s: { assertions = lib.mapAttrsToList (name: s: {
assertion = (s.template != null) || (s.kvPath != null); assertion = (s.template != null) || (s.kvPath != null);
message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath"; message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath";
}) cfg.secrets; }) cfg.secrets;
environment.systemPackages = [ environment.systemPackages = [
pkgs.jq pkgs.jq
pkgs.curl pkgs.curl
@ -594,5 +596,7 @@ in
} }
) cfg.secrets; ) cfg.secrets;
} }
]);
]
);
} }

39
hosts/juni/flake.nix
View file

@ -44,6 +44,7 @@
nixosConfigurations = { nixosConfigurations = {
"${configuration_name}" = ( "${configuration_name}" = (
lib.nixosSystem { lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [ modules = [
inputs.nixos-hardware.nixosModules.framework-12-13th-gen-intel inputs.nixos-hardware.nixosModules.framework-12-13th-gen-intel
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
@ -90,27 +91,16 @@
inputs.common.nixosModules.remote_lio_builds inputs.common.nixosModules.remote_lio_builds
( (
{ config, ... }: { inputs, lib, ... }:
{ let
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
debugMint = true;
secrets = { secrets = {
headscale_auth = { headscale_auth = {
kvPath = "kv/data/machines/home_roaming/headscale_auth"; kvPath = "kv/data/machines/home_roaming/headscale_auth";
dependencies = [ "tailscaled" ]; dependencies = [ "tailscaled" ];
configChanges = { path, ... }: { configChanges = {
services.tailscale.authKeyFile = path; services.tailscale.authKeyFile = "$SECRET_PATH";
}; };
}; };
nix2github = { nix2github = {
owner = "josh"; owner = "josh";
group = "users"; group = "users";
@ -132,13 +122,22 @@
kvPath = "kv/data/machines/home_roaming/nix2lio"; kvPath = "kv/data/machines/home_roaming/nix2lio";
}; };
}; };
}; in
lib.mkMerge [
systemd.services.tailscaled = { {
after = [ "openbao-secret-headscale_auth.service" ]; ringofstorms.secretsBao = {
requires = [ "openbao-secret-headscale_auth.service" ]; enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
inherit secrets;
}; };
} }
(inputs.secrets-bao.lib.applyConfigChanges secrets)
]
) )
# inputs.beszel.nixosModules.agent # inputs.beszel.nixosModules.agent