From 295c536b1a19713cf056f56d324885a007ae7c15 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Mon, 3 Jun 2024 20:01:14 +0200 Subject: [PATCH] sops -> clan facts --- nixos/machines/chungus/configuration.nix | 4 +- nixos/machines/chungus/services-s3.nix | 7 ++-- .../machines/chungus/taskwarrior-autotag.nix | 42 ++++++++++++------- .../chungus/telemetry/opentelemetry-hass.nix | 38 ----------------- nixos/machines/cream/configuration.nix | 3 -- nixos/machines/orbi/media-nextcloud.nix | 15 ++++--- 6 files changed, 44 insertions(+), 65 deletions(-) delete mode 100644 nixos/machines/chungus/telemetry/opentelemetry-hass.nix diff --git a/nixos/machines/chungus/configuration.nix b/nixos/machines/chungus/configuration.nix index 2a5b246..488a409 100644 --- a/nixos/machines/chungus/configuration.nix +++ b/nixos/machines/chungus/configuration.nix @@ -20,7 +20,8 @@ ./hass-zigbee2mqtt.nix ./hass.nix - ./taskwarrior-autotag.nix + # todo: add autotag again + #./taskwarrior-autotag.nix ./media-audiobookshelf.nix ./media-castget.nix @@ -33,7 +34,6 @@ ./telemetry/grafana.nix ./telemetry/telegraf-smart.nix ./telemetry/telegraf.nix - #./telemetry/opentelemetry-hass.nix ./telemetry/prometheus.nix ./telemetry/loki.nix # todo enable this one again diff --git a/nixos/machines/chungus/services-s3.nix b/nixos/machines/chungus/services-s3.nix index c05f6e5..4d45523 100644 --- a/nixos/machines/chungus/services-s3.nix +++ b/nixos/machines/chungus/services-s3.nix @@ -1,13 +1,14 @@ { config, ... }: { + + clanCore.facts.services.s3 = factsGenerator.password { name = "root"; service = "s3"; }; + services.minio = { enable = true; region = "home"; - rootCredentialsFile = config.sops.secrets.minioRootCredentials.path; + rootCredentialsFile = config.clanCore.facts.services.s3.secret."s3.root".path; }; - sops.secrets.minioRootCredentials = { }; - services.nginx = { enable = true; virtualHosts."s3.${config.networking.hostName}.private" = { diff --git a/nixos/machines/chungus/taskwarrior-autotag.nix b/nixos/machines/chungus/taskwarrior-autotag.nix index 9706244..1717fb6 100644 --- a/nixos/machines/chungus/taskwarrior-autotag.nix +++ b/nixos/machines/chungus/taskwarrior-autotag.nix @@ -1,28 +1,42 @@ { config, lib, pkgs, ... }: { - sops.secrets.autotagTaskwarriorCa = { - owner = "taskwarrior-autotag"; - key = "taskwarriorCa"; - }; - sops.secrets.autotagTaskwarriorCertificate = { - owner = "taskwarrior-autotag"; - key = "taskwarriorCertificate"; - }; - sops.secrets.autotagTaskwarriorKey = { - owner = "taskwarrior-autotag"; - key = "taskwarriorKey"; + + clanCore.facts.services.taskserver = { + secret."taskserver.ca" = { }; + secret."taskserver.cert" = { }; + secret."taskserver.key" = { }; + generator.script = ""; }; + #sops.secrets.autotagTaskwarriorCa = { + # owner = "taskwarrior-autotag"; + # key = "taskwarriorCa"; + #}; + #sops.secrets.autotagTaskwarriorCertificate = { + # owner = "taskwarrior-autotag"; + # key = "taskwarriorCertificate"; + #}; + #sops.secrets.autotagTaskwarriorKey = { + # owner = "taskwarrior-autotag"; + # key = "taskwarriorKey"; + #}; + services.taskwarrior-autotag = { enable = true; recurrence = "off"; onCalendar = "hourly"; server = "taskd.ingolf-wagner.de:53589"; - caFile = config.sops.secrets.autotagTaskwarriorCa.path; - certificateFile = config.sops.secrets.autotagTaskwarriorCertificate.path; - keyFile = config.sops.secrets.autotagTaskwarriorKey.path; + + #caFile = config.sops.secrets.autotagTaskwarriorCa.path; + #certificateFile = config.sops.secrets.autotagTaskwarriorCertificate.path; + #keyFile = config.sops.secrets.autotagTaskwarriorKey.path; + credentials = "1337/palo/ad40dce8-4b38-4011-b032-60a91b6f22cd"; + + caFile = config.clanCore.facts.services.taskserver.secret."taskserver.ca".path; + certificateFile = config.clanCore.facts.services.taskserver.secret."taskserver.cert".path; + keyFile = config.clanCore.facts.services.taskserver.secret."taskserver.key".path; }; } diff --git a/nixos/machines/chungus/telemetry/opentelemetry-hass.nix b/nixos/machines/chungus/telemetry/opentelemetry-hass.nix deleted file mode 100644 index a57bec6..0000000 --- a/nixos/machines/chungus/telemetry/opentelemetry-hass.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, ... }: -{ - - #{ - # name = "home-assistant"; - # rules = [ - # { - # record = "home_open_window_sum"; - # expr = ''sum( homeassistant_binary_sensor_state{entity=~"binary_sensor\\.window_02_contact|binary_sensor\\.window_03_contact|binary_sensor\\.window_04_contact|binary_sensor\\.window_05_contact|binary_sensor\\.window_06_contact|binary_sensor\\.window_07_contact"} )''; - # } - # ] ++ (map - # (number: - # { - # record = "home_at_least_n_windows_open"; - # expr = ''home_open_window_sum >= bool ${toString number}''; - # labels.n = number; - # }) [ 1 2 3 ]); - #}; - - sops.secrets.hass_long_term_token.owner = "prometheus"; - - services.opentelemetry-collector.settings = { - service.pipelines.metrics.receivers = [ "prometheus" ]; - receivers.prometheus.config.scrape_configs = [ - { - # see https://www.home-assistant.io/integrations/prometheus/ - job_name = "home-assistant"; - scrape_interval = "60s"; - metrics_path = "/api/prometheus"; - bearer_token_file = toString config.sops.secrets.hass_long_term_token.path; - static_configs = [{ - targets = [ "127.0.0.1:8123" ]; - }]; - } - ]; - - }; -} diff --git a/nixos/machines/cream/configuration.nix b/nixos/machines/cream/configuration.nix index 85dabd1..8bf1042 100644 --- a/nixos/machines/cream/configuration.nix +++ b/nixos/machines/cream/configuration.nix @@ -21,9 +21,6 @@ system.stateVersion = "22.11"; - sops.secrets.pushover_user_key = { }; - sops.secrets.pushover_api_key = { }; - # Use the systemd-boot EFI boot loader, not grub boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/nixos/machines/orbi/media-nextcloud.nix b/nixos/machines/orbi/media-nextcloud.nix index 77a9430..578aae5 100644 --- a/nixos/machines/orbi/media-nextcloud.nix +++ b/nixos/machines/orbi/media-nextcloud.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: +{ pkgs, config, factsGenerator, ... }: # don't forget the database backup before upgrading # ------------------------------------------------- @@ -50,8 +50,11 @@ in }; }; - sops.secrets.nextcloud_database_password.owner = "nextcloud"; - sops.secrets.nextcloud_root_password.owner = "nextcloud"; + #sops.secrets.nextcloud_database_password.owner = "nextcloud"; + #sops.secrets.nextcloud_root_password.owner = "nextcloud"; + + clanCore.facts.services.nextcloud_root = factsGenerator.password { service = "nextcloud"; name = "root"; }; + clanCore.facts.services.nextcloud_database = factsGenerator.password { service = "nextcloud"; name = "database"; }; users.users.nextcloud = { isSystemUser = true; @@ -72,12 +75,14 @@ in # mount host folders bindMounts = { rootpassword = { - hostPath = "/run/secrets/nextcloud_root_password"; + #hostPath = "/run/secrets/nextcloud_root_password"; + hostPath = config.clanCore.facts.services.nextcloud_root.secret."nextcloud.root".path; mountPoint = "/run/secrets/nextcloud_root_password"; isReadOnly = true; }; databasepassword = { - hostPath = "/run/secrets/nextcloud_database_password"; + #hostPath = "/run/secrets/nextcloud_database_password"; + hostPath = config.clanCore.facts.services.nextcloud_database.secret."nextcloud.database".path; mountPoint = "/run/secrets/nextcloud_database_password"; isReadOnly = true; };