ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

secrets-bao: inline configchanges, remove file, make configChanges attrs

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-05 22:43:44 -06:00
parent c1f5677520
commit bd8cff90ed
4 changed files with 269 additions and 257 deletions
Download patch file Download diff file Expand all files Collapse all files

31
flakes/secrets-bao/flake.nix
View file

@ -5,13 +5,32 @@
outputs = { ... }:
{
nixosModules = {
default = {
imports = [
(import ./nixos-module.nix)
(import ./nixos-configchanges.nix)
];
lib = {
applyConfigChanges = secrets:
let
substitute = secretPath: value:
if builtins.isAttrs value then
builtins.mapAttrs (_: v: substitute secretPath v) value
else if builtins.isList value then
map (v: substitute secretPath v) value
else if builtins.isString value then
builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
else
value;
fragments = builtins.attrValues (builtins.mapAttrs (
name: s:
let
secretPath = s.path or ("/run/secrets/" + name);
in
substitute secretPath (s.configChanges or { })
) secrets);
in
builtins.foldl' (acc: v: acc // v) { } fragments;
};
nixosModules = {
default = import ./nixos-module.nix;
};
};
}

10
flakes/secrets-bao/nixos-configchanges.nix
View file

@ -1,10 +0,0 @@
{ config, lib, ... }:
let
cfg = config.ringofstorms.secretsBao;
secrets = cfg.secrets or { };
in
{
config = lib.mkIf cfg.enable (
lib.mkMerge (lib.mapAttrsToList (_: s: s.configChanges { path = s.path; }) secrets)
);
}

14
flakes/secrets-bao/nixos-module.nix
View file

@ -371,9 +371,9 @@ in
};
configChanges = lib.mkOption {
type = lib.types.functionTo lib.types.attrs;
default = { path, ... }: { };
description = "Function that returns extra config given { path = secret.path; }.";
type = lib.types.attrs;
default = { };
description = "Extra config applied when enabled; supports '$SECRET_PATH' string substitution.";
};
template = lib.mkOption {
@ -389,13 +389,15 @@ in
};
};
config = lib.mkIf cfg.enable (lib.mkMerge [
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
assertions = lib.mapAttrsToList (name: s: {
assertion = (s.template != null) || (s.kvPath != null);
message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath";
}) cfg.secrets;
environment.systemPackages = [
pkgs.jq
pkgs.curl
@ -594,5 +596,7 @@ in
}
) cfg.secrets;
}
]);
]
);
}

39
hosts/juni/flake.nix
View file

@ -44,6 +44,7 @@
nixosConfigurations = {
"${configuration_name}" = (
lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [
inputs.nixos-hardware.nixosModules.framework-12-13th-gen-intel
inputs.impermanence.nixosModules.impermanence
@ -90,27 +91,16 @@
inputs.common.nixosModules.remote_lio_builds
(
{ config, ... }:
{
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
debugMint = true;
{ inputs, lib, ... }:
let
secrets = {
headscale_auth = {
kvPath = "kv/data/machines/home_roaming/headscale_auth";
dependencies = [ "tailscaled" ];
configChanges = { path, ... }: {
services.tailscale.authKeyFile = path;
configChanges = {
services.tailscale.authKeyFile = "$SECRET_PATH";
};
};
nix2github = {
owner = "josh";
group = "users";
@ -132,13 +122,22 @@
kvPath = "kv/data/machines/home_roaming/nix2lio";
};
};
};
systemd.services.tailscaled = {
after = [ "openbao-secret-headscale_auth.service" ];
requires = [ "openbao-secret-headscale_auth.service" ];
in
lib.mkMerge [
{
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
inherit secrets;
};
}
(inputs.secrets-bao.lib.applyConfigChanges secrets)
]
)
# inputs.beszel.nixosModules.agent