From eec5e02770c83bd3d2ed31522cdf8d6f08e5f7b1 Mon Sep 17 00:00:00 2001 From: Kaare Hoff Skovgaard Date: Mon, 4 Aug 2025 22:02:47 +0200 Subject: [PATCH] Move configuration of secret source outside of provisioning setup itself --- .../infrastructure/provisioning/default.nix | 16 ++++++++-------- nix/packages/post-provisioning/default.nix | 2 +- nix/packages/pre-provisioning/default.nix | 2 +- .../security.kaareskovgaard.net/default.nix | 3 +-- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/nix/modules/nixos/infrastructure/provisioning/default.nix b/nix/modules/nixos/infrastructure/provisioning/default.nix index e48846f..9d48555 100644 --- a/nix/modules/nixos/infrastructure/provisioning/default.nix +++ b/nix/modules/nixos/infrastructure/provisioning/default.nix @@ -13,14 +13,6 @@ let description = "Modules used to bring up the needed resources"; default = [ ]; }; - secretsSource = lib.mkOption { - type = lib.types.enum [ - "vault" - "bitwarden" - ]; - description = "Where to get the secrets for the provisioning from"; - default = "vault"; - }; }; usesEndpoint = search: endpoint: config: @@ -82,6 +74,14 @@ in options.khscodes.infrastructure.provisioning = { pre = provisioning; post = provisioning; + secretsSource = lib.mkOption { + type = lib.types.enum [ + "vault" + "bitwarden" + ]; + description = "Where to get the secrets for the provisioning from"; + default = "vault"; + }; instanceUserData = lib.mkOption { type = (pkgs.formats.json { }).type; description = "User data that should be added to the instance during provisioning"; diff --git a/nix/packages/post-provisioning/default.nix b/nix/packages/post-provisioning/default.nix index f850d87..1a647f7 100644 --- a/nix/packages/post-provisioning/default.nix +++ b/nix/packages/post-provisioning/default.nix @@ -16,7 +16,7 @@ pkgs.writeShellApplication { cmd="''${2:-apply}" baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning' config="$(nix build --no-link --print-out-paths "''${baseAttr}.postConfig")" - secretsSource="$(nix eval --raw "''${baseAttr}.post.secretsSource")" + secretsSource="$(nix eval --raw "''${baseAttr}.secretsSource")" endpoints="$(nix eval --show-trace --json "''${baseAttr}.postEndpoints")" if [[ "$config" == "null" ]]; then echo "No postprovisioning needed" diff --git a/nix/packages/pre-provisioning/default.nix b/nix/packages/pre-provisioning/default.nix index f3eaf63..12ba485 100644 --- a/nix/packages/pre-provisioning/default.nix +++ b/nix/packages/pre-provisioning/default.nix @@ -17,7 +17,7 @@ pkgs.writeShellApplication { cmd="''${2:-apply}" baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning' config="$(nix build --no-link --print-out-paths "''${baseAttr}.preConfig")" - secretsSource="$(nix eval --raw "''${baseAttr}.pre.secretsSource")" + secretsSource="$(nix eval --raw "''${baseAttr}.secretsSource")" endpoints="$(nix eval --show-trace --json "''${baseAttr}.preEndpoints")" if [[ "$config" == "null" ]]; then echo "No preprovisioning needed" diff --git a/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix b/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix index d77f0e3..0e5b7a8 100644 --- a/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix +++ b/nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix @@ -27,8 +27,7 @@ in server_type = "cax11"; }; # Cannot use vault for secrets source, as this is the server containing vault. - khscodes.infrastructure.provisioning.pre.secretsSource = "bitwarden"; - khscodes.infrastructure.provisioning.post.secretsSource = "bitwarden"; + khscodes.infrastructure.provisioning.secretsSource = "bitwarden"; khscodes.infrastructure.vault-server-approle.stage = "post"; khscodes.networking.fqdn = "security.kaareskovgaard.net"; khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net";