From c41c7a5d63cbc10f464d7fd6b3e0d3f57199cbb0 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Thu, 21 Nov 2024 22:31:42 +0100 Subject: [PATCH] update remaining services to secret contract --- modules/services/audiobookshelf.nix | 13 ++++++++---- modules/services/deluge.nix | 32 +++++++++++++++++++---------- modules/services/home-assistant.nix | 3 +++ test/services/audiobookshelf.nix | 7 ++++++- test/services/deluge.nix | 15 +++++++++++--- 5 files changed, 51 insertions(+), 19 deletions(-) diff --git a/modules/services/audiobookshelf.nix b/modules/services/audiobookshelf.nix index 46428bcc..29ee5dd0 100644 --- a/modules/services/audiobookshelf.nix +++ b/modules/services/audiobookshelf.nix @@ -77,9 +77,14 @@ in default = "audiobookshelf_user"; }; - ssoSecretFile = lib.mkOption { - type = lib.types.path; - description = "File containing the SSO shared secret."; + ssoSecret = lib.mkOption { + description = "SSO shared secret."; + type = lib.types.submodule { + options = contracts.secret.mkRequester { + owner = "audiobookshelf"; + restartUnits = [ "audiobookshelfd.service" ]; + }; + }; }; backup = lib.mkOption { @@ -155,7 +160,7 @@ in { client_id = cfg.oidcClientID; client_name = "Audiobookshelf"; - client_secret.source = cfg.ssoSecretFile; + client_secret.source = cfg.ssoSecret.result.path; public = false; authorization_policy = "one_factor"; redirect_uris = [ diff --git a/modules/services/deluge.nix b/modules/services/deluge.nix index e3fa12d2..cf69d514 100644 --- a/modules/services/deluge.nix +++ b/modules/services/deluge.nix @@ -183,14 +183,24 @@ in }); }; - localclientPasswordFile = lib.mkOption { - description = "File containing password for mandatory localclient user."; - type = lib.types.path; + localclientPassword = lib.mkOption { + description = "Password for mandatory localclient user."; + type = lib.types.submodule { + options = contracts.secret.mkRequester { + owner = "deluge"; + restartUnits = [ "deluged.service" ]; + }; + }; }; - prometheusScraperPasswordFile = lib.mkOption { - description = "File containing password for prometheus scraper. Setting this option will activate the prometheus deluge exporter."; - type = lib.types.nullOr lib.types.path; + prometheusScraperPassword = lib.mkOption { + description = "Password for prometheus scraper. Setting this option will activate the prometheus deluge exporter."; + type = lib.types.nullOr (lib.types.submodule { + options = contracts.secret.mkRequester { + owner = "deluge"; + restartUnits = [ "deluged.service" "prometheus.service" ]; + }; + }); default = null; }; @@ -327,9 +337,9 @@ in systemd.services.deluged.preStart = lib.mkBefore (shblib.replaceSecrets { userConfig = cfg.extraUsers // { - localclient.password.source = config.shb.deluge.localclientPasswordFile; - } // (lib.optionalAttrs (config.shb.deluge.prometheusScraperPasswordFile != null) { - prometheus_scraper.password.source = config.shb.deluge.prometheusScraperPasswordFile; + localclient.password.source = config.shb.deluge.localclientPassword.result.path; + } // (lib.optionalAttrs (config.shb.deluge.prometheusScraperPassword != null) { + prometheus_scraper.password.source = config.shb.deluge.prometheusScraperPassword.result.path; }); resultPath = "${cfg.dataDir}/.config/deluge/authTemplate"; generator = name: value: pkgs.writeText "delugeAuth" (authGenerator value); @@ -377,14 +387,14 @@ in ]; } { systemd.services.deluged.serviceConfig = cfg.extraServiceConfig; - } (lib.mkIf (config.shb.deluge.prometheusScraperPasswordFile != null) { + } (lib.mkIf (config.shb.deluge.prometheusScraperPassword != null) { services.prometheus.exporters.deluge = { enable = true; delugeHost = "127.0.0.1"; delugePort = config.services.deluge.config.daemon_port; delugeUser = "prometheus_scraper"; - delugePasswordFile = config.shb.deluge.prometheusScraperPasswordFile; + delugePasswordFile = config.shb.deluge.prometheusScraperPassword.result.path; exportPerTorrentMetrics = true; }; diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix index 979a845e..43214a49 100644 --- a/modules/services/home-assistant.nix +++ b/modules/services/home-assistant.nix @@ -92,6 +92,9 @@ in Enabling this app will create a new LDAP configuration or update one that exists with the given host. + + Also, enabling LDAP will skip onboarding + otherwise Home Assistant gets into a cyclic lock. ''; default = {}; type = lib.types.submodule { diff --git a/test/services/audiobookshelf.nix b/test/services/audiobookshelf.nix index 65755b0d..a8572086 100644 --- a/test/services/audiobookshelf.nix +++ b/test/services/audiobookshelf.nix @@ -43,7 +43,12 @@ let sso = { config, ... }: { shb.audiobookshelf = { authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; - ssoSecretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile"; + ssoSecret.result = config.shb.hardcodedsecret.ssoSecret.result; + }; + + shb.hardcodedsecret.ssoSecret = { + request = config.shb.audiobookshelf.ssoSecret.request; + settings.content = "ssoSecret"; }; }; in diff --git a/test/services/deluge.nix b/test/services/deluge.nix index 2496e7b5..a82ba7ad 100644 --- a/test/services/deluge.nix +++ b/test/services/deluge.nix @@ -74,6 +74,7 @@ let ''; base = testLib.base pkgs' [ + ../../modules/blocks/hardcodedsecret.nix ../../modules/services/deluge.nix ]; @@ -90,13 +91,21 @@ let user.password.source = pkgs.writeText "userpw" "userpw"; }; - localclientPasswordFile = pkgs.writeText "localclientpw" "localclientpw"; + localclientPassword.result = config.shb.hardcodedsecret."localclientpassword".result; + }; + shb.hardcodedsecret."localclientpassword" = { + request = config.shb.deluge.localclientPassword.request; + settings.content = "localpw"; }; }; - prometheus = { + prometheus = { config, ... }: { shb.deluge = { - prometheusScraperPasswordFile = pkgs.writeText "prompw" "prompw"; + prometheusScraperPassword.result = config.shb.hardcodedsecret."scraper".result; + }; + shb.hardcodedsecret."scraper" = { + request = config.shb.deluge.prometheusScraperPassword.request; + settings.content = "scraperpw"; }; };