jet/website
jet/website
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add in the secrets defaults and exposure again

Browse source
This commit is contained in:
Jet 2026-03-28 20:35:52 -07:00
parent 9a5256e8f0
commit 1174299e77
No known key found for this signature in database
1 changed files with 61 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

75
module.nix
View file

@ -11,6 +11,27 @@ let
package = cfg.package; package = cfg.package;
qaApi = cfg.apiPackage; qaApi = cfg.apiPackage;
apiListen = "${cfg.apiListenAddress}:${toString cfg.apiListenPort}"; apiListen = "${cfg.apiListenAddress}:${toString cfg.apiListenPort}";
usingDefaultWebhookSecret = cfg.webhookSecretFile == null;
webhookSecretPath =
if usingDefaultWebhookSecret then config.age.secrets.webhook-secret.path else cfg.webhookSecretFile;
usingDefaultTorSecretKey = cfg.tor.onionSecretKeyFile == null;
usingDefaultTorPublicKey = cfg.tor.onionPublicKeyFile == null;
usingDefaultTorHostname = cfg.tor.onionHostnameFile == null;
torOnionSecretKeyPath =
if usingDefaultTorSecretKey then
config.age.secrets.tor-onion-secret-key.path
else
cfg.tor.onionSecretKeyFile;
torOnionPublicKeyPath =
if usingDefaultTorPublicKey then
config.age.secrets.tor-onion-public-key.path
else
cfg.tor.onionPublicKeyFile;
torOnionHostnamePath =
if usingDefaultTorHostname then
config.age.secrets.tor-onion-hostname.path
else
cfg.tor.onionHostnameFile;
caddyCommonConfig = '' caddyCommonConfig = ''
header Cross-Origin-Opener-Policy "same-origin" header Cross-Origin-Opener-Policy "same-origin"
header Cross-Origin-Embedder-Policy "require-corp" header Cross-Origin-Embedder-Policy "require-corp"
@ -133,21 +154,44 @@ in
}; };
webhookSecretFile = lib.mkOption { webhookSecretFile = lib.mkOption {
type = lib.types.path; type = lib.types.nullOr lib.types.path;
description = "File containing the WEBHOOK_SECRET for MTA Hook authentication."; default = null;
description = "File containing the WEBHOOK_SECRET for MTA Hook authentication. Defaults to the module-managed agenix secret when left unset.";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets.webhook-secret = lib.mkIf usingDefaultWebhookSecret {
file = "${self}/secrets/webhook-secret.age";
mode = "0400";
};
age.secrets.tor-onion-secret-key = lib.mkIf (cfg.tor.enable && usingDefaultTorSecretKey) {
file = "${self}/secrets/tor-onion-secret-key.age";
owner = "tor";
group = "tor";
mode = "0400";
};
age.secrets.tor-onion-public-key = lib.mkIf (cfg.tor.enable && usingDefaultTorPublicKey) {
file = "${self}/secrets/tor-onion-public-key.age";
owner = "tor";
group = "tor";
mode = "0444";
};
age.secrets.tor-onion-hostname = lib.mkIf (cfg.tor.enable && usingDefaultTorHostname) {
file = "${self}/secrets/tor-onion-hostname.age";
owner = "tor";
group = "tor";
mode = "0444";
};
assertions = [ assertions = [
{ {
assertion = assertion =
!cfg.tor.enable !cfg.tor.enable
|| ( || (torOnionSecretKeyPath != null && torOnionPublicKeyPath != null && torOnionHostnamePath != null);
cfg.tor.onionSecretKeyFile != null
&& cfg.tor.onionPublicKeyFile != null
&& cfg.tor.onionHostnameFile != null
);
message = "services.jetpham-website.tor requires onionSecretKeyFile, onionPublicKeyFile, and onionHostnameFile."; message = "services.jetpham-website.tor requires onionSecretKeyFile, onionPublicKeyFile, and onionHostnameFile.";
} }
]; ];
@ -176,15 +220,18 @@ in
systemd.services.tor-onion-keys = lib.mkIf cfg.tor.enable { systemd.services.tor-onion-keys = lib.mkIf cfg.tor.enable {
description = "Copy Tor onion keys into place"; description = "Copy Tor onion keys into place";
after = lib.optional (
usingDefaultTorSecretKey || usingDefaultTorPublicKey || usingDefaultTorHostname
) "agenix.service";
before = [ "tor.service" ]; before = [ "tor.service" ];
wantedBy = [ "tor.service" ]; wantedBy = [ "tor.service" ];
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = ''
dir="/var/lib/tor/onion/jetpham-website" dir="/var/lib/tor/onion/jetpham-website"
mkdir -p "$dir" mkdir -p "$dir"
cp ${cfg.tor.onionSecretKeyFile} "$dir/hs_ed25519_secret_key" cp ${torOnionSecretKeyPath} "$dir/hs_ed25519_secret_key"
cp ${cfg.tor.onionPublicKeyFile} "$dir/hs_ed25519_public_key" cp ${torOnionPublicKeyPath} "$dir/hs_ed25519_public_key"
cp ${cfg.tor.onionHostnameFile} "$dir/hostname" cp ${torOnionHostnamePath} "$dir/hostname"
chown -R tor:tor "$dir" chown -R tor:tor "$dir"
chmod 700 "$dir" chmod 700 "$dir"
chmod 400 "$dir/hs_ed25519_secret_key" chmod 400 "$dir/hs_ed25519_secret_key"
@ -194,8 +241,8 @@ in
systemd.services.jetpham-qa-api = { systemd.services.jetpham-qa-api = {
description = "Jet Pham Q&A API"; description = "Jet Pham Q&A API";
after = [ "network-online.target" ]; after = [ "network-online.target" ] ++ lib.optional usingDefaultWebhookSecret "agenix.service";
wants = [ "network-online.target" ]; wants = [ "network-online.target" ] ++ lib.optional usingDefaultWebhookSecret "agenix.service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
@ -214,7 +261,7 @@ in
ReadWritePaths = [ "/var/lib/jetpham-qa" ]; ReadWritePaths = [ "/var/lib/jetpham-qa" ];
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 5; RestartSec = 5;
LoadCredential = "webhook-secret:${cfg.webhookSecretFile}"; LoadCredential = "webhook-secret:${webhookSecretPath}";
}; };
script = '' script = ''
if [ ! -s "$CREDENTIALS_DIRECTORY/webhook-secret" ]; then if [ ! -s "$CREDENTIALS_DIRECTORY/webhook-secret" ]; then
@ -223,7 +270,7 @@ in
fi fi
export WEBHOOK_SECRET="$(cat "$CREDENTIALS_DIRECTORY/webhook-secret")" export WEBHOOK_SECRET="$(cat "$CREDENTIALS_DIRECTORY/webhook-secret")"
exec ${lib.getExe qaApi} exec ${qaApi}/bin/jetpham-qa-api
''; '';
}; };