yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'main' into flake-update-2025-01-13

Browse Source
This commit is contained in:
Mic92
2025-01-14 14:19:07 +00:00
parent 983cddc979 4bc84542e4
commit 2310379d7f
7 changed files with 43 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
checks/matrix-synapse/default.nix
View File

@@ -31,6 +31,8 @@
clan.matrix-synapse.users.someuser = { }; clan.matrix-synapse.users.someuser = { };
clan.core.facts.secretStore = "vm"; clan.core.facts.secretStore = "vm";
clan.core.vars.settings.secretStore = "vm";
clan.core.vars.settings.publicStore = "in_repo";
# because we use systemd-tmpfiles to copy the secrets, we need to a separate systemd-tmpfiles call to provision them. # because we use systemd-tmpfiles to copy the secrets, we need to a separate systemd-tmpfiles call to provision them.
boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf"; boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf";
@@ -41,21 +43,21 @@
d.mode = "0700"; d.mode = "0700";
z.mode = "0700"; z.mode = "0700";
}; };
"/etc/secrets/synapse-registration_shared_secret" = { "/etc/secrets/matrix-synapse/synapse-registration_shared_secret" = {
f.argument = "supersecret"; f.argument = "supersecret";
z = { z = {
mode = "0400"; mode = "0400";
user = "root"; user = "root";
}; };
}; };
"/etc/secrets/matrix-password-admin" = { "/etc/secrets/matrix-password-admin/matrix-password-admin" = {
f.argument = "matrix-password1"; f.argument = "matrix-password1";
z = { z = {
mode = "0400"; mode = "0400";
user = "root"; user = "root";
}; };
}; };
"/etc/secrets/matrix-password-someuser" = { "/etc/secrets/matrix-password-someuser/matrix-password-someuser" = {
f.argument = "matrix-password2"; f.argument = "matrix-password2";
z = { z = {
mode = "0400"; mode = "0400";

24
clanModules/matrix-synapse/default.nix
View File

@@ -116,26 +116,28 @@ in
}; };
clan.postgresql.databases.matrix-synapse.restore.stopOnRestore = [ "matrix-synapse" ]; clan.postgresql.databases.matrix-synapse.restore.stopOnRestore = [ "matrix-synapse" ];
clan.core.facts.services = clan.core.vars.generators =
{ {
"matrix-synapse" = { "matrix-synapse" = {
secret."synapse-registration_shared_secret" = { }; files."synapse-registration_shared_secret" = { };
generator.path = with pkgs; [ runtimeInputs = with pkgs; [
coreutils coreutils
pwgen pwgen
]; ];
generator.script = '' migrateFact = "matrix-synapse";
echo -n "$(pwgen -s 32 1)" > "$secrets"/synapse-registration_shared_secret script = ''
echo -n "$(pwgen -s 32 1)" > "$out"/synapse-registration_shared_secret
''; '';
}; };
} }
// lib.mapAttrs' ( // lib.mapAttrs' (
name: user: name: user:
lib.nameValuePair "matrix-password-${user.name}" { lib.nameValuePair "matrix-password-${user.name}" {
secret."matrix-password-${user.name}" = { }; files."matrix-password-${user.name}" = { };
generator.path = with pkgs; [ xkcdpass ]; migrateFact = "matrix-password-${user.name}";
generator.script = '' runtimeInputs = with pkgs; [ xkcdpass ];
xkcdpass -n 4 -d - > "$secrets"/${lib.escapeShellArg "matrix-password-${user.name}"} script = ''
xkcdpass -n 4 -d - > "$out"/${lib.escapeShellArg "matrix-password-${user.name}"}
''; '';
} }
) cfg.users; ) cfg.users;
@@ -152,7 +154,7 @@ in
+ lib.concatMapStringsSep "\n" (user: '' + lib.concatMapStringsSep "\n" (user: ''
# only create user if it doesn't exist # only create user if it doesn't exist
/run/current-system/sw/bin/matrix-synapse-register_new_matrix_user --exists-ok --password-file ${ /run/current-system/sw/bin/matrix-synapse-register_new_matrix_user --exists-ok --password-file ${
config.clan.core.facts.services."matrix-password-${user.name}".secret."matrix-password-${user.name}".path config.clan.core.vars.generators."matrix-password-${user.name}".files."matrix-password-${user.name}".path
} --user "${user.name}" ${if user.admin then "--admin" else "--no-admin"} } --user "${user.name}" ${if user.admin then "--admin" else "--no-admin"}
'') (lib.attrValues cfg.users); '') (lib.attrValues cfg.users);
in in
@@ -161,7 +163,7 @@ in
serviceConfig.ExecStartPre = lib.mkBefore [ serviceConfig.ExecStartPre = lib.mkBefore [
"+${pkgs.coreutils}/bin/install -o matrix-synapse -g matrix-synapse ${ "+${pkgs.coreutils}/bin/install -o matrix-synapse -g matrix-synapse ${
lib.escapeShellArg lib.escapeShellArg
config.clan.core.facts.services.matrix-synapse.secret."synapse-registration_shared_secret".path config.clan.core.vars.generators.matrix-synapse.files."synapse-registration_shared_secret".path
} /run/synapse-registration-shared-secret" } /run/synapse-registration-shared-secret"
]; ];
serviceConfig.ExecStartPost = [ serviceConfig.ExecStartPost = [

3
docs/mkdocs.yml
View File

@@ -152,8 +152,7 @@ theme:
name: material name: material
features: features:
- navigation.instant - navigation.instant
- navigation.tabs - navigation.sections
- navigation.tabs.sticky
- navigation.footer - navigation.footer
- content.code.annotate - content.code.annotate
- content.code.copy - content.code.copy

8
docs/site/manual/migration-guide.md
View File

@@ -17,14 +17,12 @@ you have a working setup, you can easily transfer your Nix configurations over.
We assume you are already using NixOS flakes to manage your configuration. If We assume you are already using NixOS flakes to manage your configuration. If
not, migrate to a flake-based setup following the official [NixOS not, migrate to a flake-based setup following the official [NixOS
documentation](https://nix.dev/manual/nix/2.25/command-ref/new-cli/nix3-flake.html) documentation](https://nix.dev/manual/nix/2.25/command-ref/new-cli/nix3-flake.html).
The snippet below shows a common Nix flake. For this example we will assume you The snippet below shows a common Nix flake. For this example we will assume you
have have two hosts: **berlin** and **cologne**. have have two hosts: **berlin** and **cologne**.
```nix ```nix
{ {
description = "My NixOS systems";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
outputs = { self, nixpkgs, ... }: { outputs = { self, nixpkgs, ... }: {
@@ -32,7 +30,7 @@ have have two hosts: **berlin** and **cologne**.
nixosConfigurations = { nixosConfigurations = {
berlin = nixpkgs.lib.nixosSystem { berlin = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; # TODO should we use nixpkgs.hostPlatform here too? system = "x86_64-linux";
modules = [./machines/berlin/configuration.nix]; modules = [./machines/berlin/configuration.nix];
}; };
@@ -78,8 +76,6 @@ For the provide flake example, your flake should now look like this:
```nix ```nix
{ {
description = "My NixOS systems";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
outputs = { self, nixpkgs, ... }: outputs = { self, nixpkgs, ... }:

8
docs/site/static/extra.css
View File

@@ -15,3 +15,11 @@
.md-header img { .md-header img {
filter: invert(100%) brightness(100%); filter: invert(100%) brightness(100%);
} }
.md-nav__title {
color: black;
}
.md-nav__item.md-nav__item--section label span {
color: black;
}

3
nixosModules/clanCore/vars/default.nix
View File

@@ -16,10 +16,9 @@ in
{ {
imports = [ imports = [
./public/in_repo.nix ./public/in_repo.nix
# ./public/vm.nix
./secret/password-store.nix ./secret/password-store.nix
./secret/sops ./secret/sops
# ./secret/vm.nix ./secret/vm.nix
]; ];
options.clan.core.vars = lib.mkOption { options.clan.core.vars = lib.mkOption {
description = '' description = ''

13
nixosModules/clanCore/vars/secret/vm.nix Normal file
View File

@@ -0,0 +1,13 @@
{
config,
lib,
...
}:
{
config.clan.core.vars.settings = lib.mkIf (config.clan.core.vars.settings.secretStore == "vm") {
fileModule = file: {
path = "/etc/secrets/${file.config.generatorName}/${file.config.name}";
};
secretModule = "clan_cli.vars.secret_modules.vm";
};
}