feat: add in the secrets defaults and exposure again
This commit is contained in:
parent
9a5256e8f0
commit
1174299e77
1 changed files with 61 additions and 14 deletions
75
module.nix
75
module.nix
|
|
@ -11,6 +11,27 @@ let
|
|||
package = cfg.package;
|
||||
qaApi = cfg.apiPackage;
|
||||
apiListen = "${cfg.apiListenAddress}:${toString cfg.apiListenPort}";
|
||||
usingDefaultWebhookSecret = cfg.webhookSecretFile == null;
|
||||
webhookSecretPath =
|
||||
if usingDefaultWebhookSecret then config.age.secrets.webhook-secret.path else cfg.webhookSecretFile;
|
||||
usingDefaultTorSecretKey = cfg.tor.onionSecretKeyFile == null;
|
||||
usingDefaultTorPublicKey = cfg.tor.onionPublicKeyFile == null;
|
||||
usingDefaultTorHostname = cfg.tor.onionHostnameFile == null;
|
||||
torOnionSecretKeyPath =
|
||||
if usingDefaultTorSecretKey then
|
||||
config.age.secrets.tor-onion-secret-key.path
|
||||
else
|
||||
cfg.tor.onionSecretKeyFile;
|
||||
torOnionPublicKeyPath =
|
||||
if usingDefaultTorPublicKey then
|
||||
config.age.secrets.tor-onion-public-key.path
|
||||
else
|
||||
cfg.tor.onionPublicKeyFile;
|
||||
torOnionHostnamePath =
|
||||
if usingDefaultTorHostname then
|
||||
config.age.secrets.tor-onion-hostname.path
|
||||
else
|
||||
cfg.tor.onionHostnameFile;
|
||||
caddyCommonConfig = ''
|
||||
header Cross-Origin-Opener-Policy "same-origin"
|
||||
header Cross-Origin-Embedder-Policy "require-corp"
|
||||
|
|
@ -133,21 +154,44 @@ in
|
|||
};
|
||||
|
||||
webhookSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the WEBHOOK_SECRET for MTA Hook authentication.";
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = "File containing the WEBHOOK_SECRET for MTA Hook authentication. Defaults to the module-managed agenix secret when left unset.";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets.webhook-secret = lib.mkIf usingDefaultWebhookSecret {
|
||||
file = "${self}/secrets/webhook-secret.age";
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
age.secrets.tor-onion-secret-key = lib.mkIf (cfg.tor.enable && usingDefaultTorSecretKey) {
|
||||
file = "${self}/secrets/tor-onion-secret-key.age";
|
||||
owner = "tor";
|
||||
group = "tor";
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
age.secrets.tor-onion-public-key = lib.mkIf (cfg.tor.enable && usingDefaultTorPublicKey) {
|
||||
file = "${self}/secrets/tor-onion-public-key.age";
|
||||
owner = "tor";
|
||||
group = "tor";
|
||||
mode = "0444";
|
||||
};
|
||||
|
||||
age.secrets.tor-onion-hostname = lib.mkIf (cfg.tor.enable && usingDefaultTorHostname) {
|
||||
file = "${self}/secrets/tor-onion-hostname.age";
|
||||
owner = "tor";
|
||||
group = "tor";
|
||||
mode = "0444";
|
||||
};
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion =
|
||||
!cfg.tor.enable
|
||||
|| (
|
||||
cfg.tor.onionSecretKeyFile != null
|
||||
&& cfg.tor.onionPublicKeyFile != null
|
||||
&& cfg.tor.onionHostnameFile != null
|
||||
);
|
||||
|| (torOnionSecretKeyPath != null && torOnionPublicKeyPath != null && torOnionHostnamePath != null);
|
||||
message = "services.jetpham-website.tor requires onionSecretKeyFile, onionPublicKeyFile, and onionHostnameFile.";
|
||||
}
|
||||
];
|
||||
|
|
@ -176,15 +220,18 @@ in
|
|||
|
||||
systemd.services.tor-onion-keys = lib.mkIf cfg.tor.enable {
|
||||
description = "Copy Tor onion keys into place";
|
||||
after = lib.optional (
|
||||
usingDefaultTorSecretKey || usingDefaultTorPublicKey || usingDefaultTorHostname
|
||||
) "agenix.service";
|
||||
before = [ "tor.service" ];
|
||||
wantedBy = [ "tor.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
dir="/var/lib/tor/onion/jetpham-website"
|
||||
mkdir -p "$dir"
|
||||
cp ${cfg.tor.onionSecretKeyFile} "$dir/hs_ed25519_secret_key"
|
||||
cp ${cfg.tor.onionPublicKeyFile} "$dir/hs_ed25519_public_key"
|
||||
cp ${cfg.tor.onionHostnameFile} "$dir/hostname"
|
||||
cp ${torOnionSecretKeyPath} "$dir/hs_ed25519_secret_key"
|
||||
cp ${torOnionPublicKeyPath} "$dir/hs_ed25519_public_key"
|
||||
cp ${torOnionHostnamePath} "$dir/hostname"
|
||||
chown -R tor:tor "$dir"
|
||||
chmod 700 "$dir"
|
||||
chmod 400 "$dir/hs_ed25519_secret_key"
|
||||
|
|
@ -194,8 +241,8 @@ in
|
|||
|
||||
systemd.services.jetpham-qa-api = {
|
||||
description = "Jet Pham Q&A API";
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ] ++ lib.optional usingDefaultWebhookSecret "agenix.service";
|
||||
wants = [ "network-online.target" ] ++ lib.optional usingDefaultWebhookSecret "agenix.service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
|
|
@ -214,7 +261,7 @@ in
|
|||
ReadWritePaths = [ "/var/lib/jetpham-qa" ];
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
LoadCredential = "webhook-secret:${cfg.webhookSecretFile}";
|
||||
LoadCredential = "webhook-secret:${webhookSecretPath}";
|
||||
};
|
||||
script = ''
|
||||
if [ ! -s "$CREDENTIALS_DIRECTORY/webhook-secret" ]; then
|
||||
|
|
@ -223,7 +270,7 @@ in
|
|||
fi
|
||||
|
||||
export WEBHOOK_SECRET="$(cat "$CREDENTIALS_DIRECTORY/webhook-secret")"
|
||||
exec ${lib.getExe qaApi}
|
||||
exec ${qaApi}/bin/jetpham-qa-api
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue