nix-config/secrets/default.nix

75 lines
1.8 KiB
Nix
Raw Normal View History

2021-06-12 20:12:19 +02:00
{ lib, ... }:
2021-02-14 14:13:31 +01:00
with lib;
let
2021-06-12 20:12:19 +02:00
throwOnCanary =
let
canaryHash = builtins.hashFile "sha256" ./canary;
expectedHash =
"9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
in
if canaryHash != expectedHash
then throw "Secrets are not readable. Have you run `git-crypt unlock`?"
else id;
2021-02-14 14:13:31 +01:00
in
2021-06-12 20:12:19 +02:00
throwOnCanary {
2021-02-14 14:13:31 +01:00
options.my.secrets = mkOption {
type =
let
valueType = with types; oneOf [
int
str
(attrsOf valueType)
2021-08-30 15:34:52 +02:00
(listOf valueType)
];
in
valueType;
2021-02-14 14:13:31 +01:00
};
config.my.secrets = {
acme.key = fileContents ./acme/key.env;
backup = {
password = fileContents ./backup/password.txt;
credentials = readFile ./backup/credentials.env;
};
drone = {
gitea = readFile ./drone/gitea.env;
secret = readFile ./drone/secret.env;
ssh = {
publicKey = readFile ./drone/ssh/key.pub;
privateKey = readFile ./drone/ssh/key;
};
};
lohr.secret = fileContents ./lohr/secret.txt;
matrix = {
mail = import ./matrix/mail.nix;
secret = fileContents ./matrix/secret.txt;
};
2021-02-14 14:13:31 +01:00
2021-02-15 18:45:38 +01:00
miniflux.password = fileContents ./miniflux/password.txt;
2021-07-13 19:11:03 +02:00
monitoring.password = fileContents ./monitoring/password.txt;
2021-02-14 14:13:31 +01:00
nextcloud.password = fileContents ./nextcloud/password.txt;
2021-08-19 13:07:51 +02:00
paperless.secretKey = fileContents ./paperless/secretKey.txt;
podgrab.password = fileContents ./podgrab/password.txt;
2021-08-30 14:17:18 +02:00
sso = import ./sso { inherit lib; };
2021-02-14 14:13:31 +01:00
transmission.password = fileContents ./transmission/password.txt;
users = {
ambroisie.hashedPassword = fileContents ./users/ambroisie/password.txt;
root.hashedPassword = fileContents ./users/root/password.txt;
};
2021-02-17 13:03:41 +01:00
2021-06-12 20:12:19 +02:00
wireguard = import ./wireguard { inherit lib; };
2021-02-14 14:13:31 +01:00
};
}