-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
switch jellyfin to new secrets contract
This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read.
- Loading branch information
ibizaman
committed
Oct 13, 2024
1 parent
5a0ae36
commit 4879bd5
Showing
6 changed files
with
167 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
{ config, options, lib, pkgs, ... }: | ||
let | ||
cfg = config.shb.hardcodedsecret; | ||
opt = options.shb.hardcodedsecret; | ||
|
||
inherit (lib) mapAttrs' mkOption nameValuePair; | ||
inherit (lib.types) attrsOf listOf path str submodule; | ||
inherit (pkgs) writeText; | ||
in | ||
{ | ||
options.shb.hardcodedsecret = mkOption { | ||
type = attrsOf (submodule ({ name, ... }: { | ||
options = { | ||
mode = mkOption { | ||
description = '' | ||
Mode of the secret file. | ||
''; | ||
type = str; | ||
default = "0400"; | ||
}; | ||
|
||
owner = mkOption { | ||
description = '' | ||
Linux user owning the secret file. | ||
''; | ||
type = str; | ||
default = "root"; | ||
}; | ||
|
||
group = mkOption { | ||
description = '' | ||
Linux group owning the secret file. | ||
''; | ||
type = str; | ||
default = "root"; | ||
}; | ||
|
||
restartUnits = mkOption { | ||
description = '' | ||
Systemd units to restart after the secret is updated. | ||
''; | ||
type = listOf str; | ||
default = []; | ||
}; | ||
|
||
path = mkOption { | ||
type = path; | ||
description = '' | ||
Path to the file containing the secret generated out of band. | ||
This path will exist after deploying to a target host, | ||
it is not available through the nix store. | ||
''; | ||
default = "/run/hardcodedsecrets/hardcodedsecret_${name}"; | ||
}; | ||
|
||
content = mkOption { | ||
type = str; | ||
description = '' | ||
Content of the secret. | ||
This will be stored in the nix store and should only be used for testing or maybe in dev. | ||
''; | ||
}; | ||
}; | ||
})); | ||
}; | ||
|
||
config = { | ||
system.activationScripts = mapAttrs' (n: cfg': | ||
let | ||
content' = writeText "hardcodedsecret_${n}_content" cfg'.content; | ||
in | ||
nameValuePair "hardcodedsecret_${n}" '' | ||
mkdir -p "$(dirname "${cfg'.path}")" | ||
touch "${cfg'.path}" | ||
chmod ${cfg'.mode} "${cfg'.path}" | ||
chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}" | ||
cp ${content'} "${cfg'.path}" | ||
'' | ||
) cfg; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters