update remaining services to secret contract

ibizaman · Nov 21, 2024 · c41c7a5 · c41c7a5
1 parent dfbb85d
commit c41c7a5
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 19 deletions.
diff --git a/modules/services/audiobookshelf.nix b/modules/services/audiobookshelf.nix
@@ -77,9 +77,14 @@ in
       default = "audiobookshelf_user";
     };
 
-    ssoSecretFile = lib.mkOption {
-      type = lib.types.path;
-      description = "File containing the SSO shared secret.";
+    ssoSecret = lib.mkOption {
+      description = "SSO shared secret.";
+      type = lib.types.submodule {
+        options = contracts.secret.mkRequester {
+          owner = "audiobookshelf";
+          restartUnits = [ "audiobookshelfd.service" ];
+        };
+      };
     };
 
     backup = lib.mkOption {
@@ -155,7 +160,7 @@ in
       {
         client_id = cfg.oidcClientID;
         client_name = "Audiobookshelf";
-        client_secret.source = cfg.ssoSecretFile;
+        client_secret.source = cfg.ssoSecret.result.path;
         public = false;
         authorization_policy = "one_factor";
         redirect_uris = [ 

diff --git a/modules/services/deluge.nix b/modules/services/deluge.nix
@@ -183,14 +183,24 @@ in
       });
     };
 
-    localclientPasswordFile = lib.mkOption {
-      description = "File containing password for mandatory localclient user.";
-      type = lib.types.path;
+    localclientPassword = lib.mkOption {
+      description = "Password for mandatory localclient user.";
+      type = lib.types.submodule {
+        options = contracts.secret.mkRequester {
+          owner = "deluge";
+          restartUnits = [ "deluged.service" ];
+        };
+      };
     };
 
-    prometheusScraperPasswordFile = lib.mkOption {
-      description = "File containing password for prometheus scraper. Setting this option will activate the prometheus deluge exporter.";
-      type = lib.types.nullOr lib.types.path;
+    prometheusScraperPassword = lib.mkOption {
+      description = "Password for prometheus scraper. Setting this option will activate the prometheus deluge exporter.";
+      type = lib.types.nullOr (lib.types.submodule {
+        options = contracts.secret.mkRequester {
+          owner = "deluge";
+          restartUnits = [ "deluged.service" "prometheus.service" ];
+        };
+      });
       default = null;
     };
 
@@ -327,9 +337,9 @@ in
 
     systemd.services.deluged.preStart = lib.mkBefore (shblib.replaceSecrets {
       userConfig = cfg.extraUsers // {
-        localclient.password.source = config.shb.deluge.localclientPasswordFile;
-      } // (lib.optionalAttrs (config.shb.deluge.prometheusScraperPasswordFile != null) {
-        prometheus_scraper.password.source = config.shb.deluge.prometheusScraperPasswordFile;
+        localclient.password.source = config.shb.deluge.localclientPassword.result.path;
+      } // (lib.optionalAttrs (config.shb.deluge.prometheusScraperPassword != null) {
+        prometheus_scraper.password.source = config.shb.deluge.prometheusScraperPassword.result.path;
       });
       resultPath = "${cfg.dataDir}/.config/deluge/authTemplate";
       generator = name: value: pkgs.writeText "delugeAuth" (authGenerator value);
@@ -377,14 +387,14 @@ in
     ];
   } {
     systemd.services.deluged.serviceConfig = cfg.extraServiceConfig;
-  } (lib.mkIf (config.shb.deluge.prometheusScraperPasswordFile != null) {
+  } (lib.mkIf (config.shb.deluge.prometheusScraperPassword != null) {
     services.prometheus.exporters.deluge = {
       enable = true;
 
       delugeHost = "127.0.0.1";
       delugePort = config.services.deluge.config.daemon_port;
       delugeUser = "prometheus_scraper";
-      delugePasswordFile = config.shb.deluge.prometheusScraperPasswordFile;
+      delugePasswordFile = config.shb.deluge.prometheusScraperPassword.result.path;
       exportPerTorrentMetrics = true;
     };
 

diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix
@@ -92,6 +92,9 @@ in
 
         Enabling this app will create a new LDAP configuration or update one that exists with
         the given host.
+
+        Also, enabling LDAP will skip onboarding
+        otherwise Home Assistant gets into a cyclic lock.
       '';
       default = {};
       type = lib.types.submodule {

diff --git a/test/services/audiobookshelf.nix b/test/services/audiobookshelf.nix
@@ -43,7 +43,12 @@ let
   sso = { config, ... }: {
     shb.audiobookshelf = {
       authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
-      ssoSecretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
+      ssoSecret.result = config.shb.hardcodedsecret.ssoSecret.result;
+    };
+
+    shb.hardcodedsecret.ssoSecret = {
+      request = config.shb.audiobookshelf.ssoSecret.request;
+      settings.content = "ssoSecret";
     };
   };
 in

diff --git a/test/services/deluge.nix b/test/services/deluge.nix
@@ -74,6 +74,7 @@ let
     '';
 
   base = testLib.base pkgs' [
+    ../../modules/blocks/hardcodedsecret.nix
     ../../modules/services/deluge.nix
   ];
 
@@ -90,13 +91,21 @@ let
         user.password.source = pkgs.writeText "userpw" "userpw";
       };
 
-      localclientPasswordFile = pkgs.writeText "localclientpw" "localclientpw";
+      localclientPassword.result = config.shb.hardcodedsecret."localclientpassword".result;
+    };
+    shb.hardcodedsecret."localclientpassword" = {
+      request = config.shb.deluge.localclientPassword.request;
+      settings.content = "localpw";
     };
   };
 
-  prometheus = {
+  prometheus = { config, ... }: {
     shb.deluge = {
-      prometheusScraperPasswordFile = pkgs.writeText "prompw" "prompw";
+      prometheusScraperPassword.result = config.shb.hardcodedsecret."scraper".result;
+    };
+    shb.hardcodedsecret."scraper" = {
+      request = config.shb.deluge.prometheusScraperPassword.request;
+      settings.content = "scraperpw";
     };
   };