yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

clanModules/murmur: improve secret loading logic

Browse Source
This commit is contained in:
a-kenji
2024-09-26 16:07:20 +02:00
parent 1341bfca95
commit 4f4777389b
2 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
checks/mumble/default.nix
View File

@@ -11,8 +11,6 @@
{ {
clan.core.clanDir = ./.; clan.core.clanDir = ./.;
environment.systemPackages = [ pkgs.killall ]; environment.systemPackages = [ pkgs.killall ];
services.murmur.sslKey = "/etc/mumble-key";
services.murmur.sslCert = "/etc/mumble-cert";
clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key"; clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert"; clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
} }
@@ -37,14 +35,14 @@
"mumble-cert".source = ./peer_1/peer_1_test_cert; "mumble-cert".source = ./peer_1/peer_1_test_cert;
}; };
systemd.tmpfiles.settings."vmsecrets" = { systemd.tmpfiles.settings."vmsecrets" = {
"/etc/secrets/mumble-key" = { "/var/lib/murmur/sslKey" = {
C.argument = "${./peer_1/peer_1_test_key}"; C.argument = "${./peer_1/peer_1_test_key}";
z = { z = {
mode = "0400"; mode = "0400";
user = "murmur"; user = "murmur";
}; };
}; };
"/etc/secrets/mumble-cert" = { "/var/lib/murmur/sslCert" = {
C.argument = "${./peer_1/peer_1_test_cert}"; C.argument = "${./peer_1/peer_1_test_cert}";
z = { z = {
mode = "0400"; mode = "0400";
@@ -52,8 +50,6 @@
}; };
}; };
}; };
services.murmur.sslKey = "/etc/mumble-key";
services.murmur.sslCert = "/etc/mumble-cert";
clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key"; clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert"; clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
} }
@@ -71,14 +67,14 @@
"mumble-cert".source = ./peer_2/peer_2_test_cert; "mumble-cert".source = ./peer_2/peer_2_test_cert;
}; };
systemd.tmpfiles.settings."vmsecrets" = { systemd.tmpfiles.settings."vmsecrets" = {
"/etc/secrets/mumble-key" = { "/var/lib/murmur/sslKey" = {
C.argument = "${./peer_2/peer_2_test_key}"; C.argument = "${./peer_2/peer_2_test_key}";
z = { z = {
mode = "0400"; mode = "0400";
user = "murmur"; user = "murmur";
}; };
}; };
"/etc/secrets/mumble-cert" = { "/var/lib/murmur/sslCert" = {
C.argument = "${./peer_2/peer_2_test_cert}"; C.argument = "${./peer_2/peer_2_test_cert}";
z = { z = {
mode = "0400"; mode = "0400";

21
clanModules/mumble/default.nix
View File

@@ -41,8 +41,8 @@ in
registerName = config.clan.core.machineName; registerName = config.clan.core.machineName;
openFirewall = true; openFirewall = true;
bonjour = true; bonjour = true;
sslKey = config.clan.core.facts.services.mumble.secret.mumble-key.path; sslKey = "/var/lib/murmur/sslKey";
sslCert = config.clan.core.facts.services.mumble.public.mumble-cert.path; sslCert = "/var/lib/murmur/sslCert";
}; };
clan.core.state.mumble.folders = [ clan.core.state.mumble.folders = [
@@ -54,6 +54,23 @@ in
"d '/var/lib/mumble' 0770 '${config.clan.services.mumble.user}' 'users' - -" "d '/var/lib/mumble' 0770 '${config.clan.services.mumble.user}' 'users' - -"
]; ];
systemd.tmpfiles.settings."murmur" = {
"/var/lib/murmur/sslKey" = {
C.argument = config.clan.core.facts.services.mumble.secret.mumble-key.path;
Z = {
mode = "0400";
user = "murmur";
};
};
"/var/lib/murmur/sslCert" = {
C.argument = config.clan.core.facts.services.mumble.public.mumble-cert.path;
Z = {
mode = "0400";
user = "murmur";
};
};
};
environment.systemPackages = environment.systemPackages =
let let
mumbleCfgDir = "/var/lib/mumble"; mumbleCfgDir = "/var/lib/mumble";