nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Move configuration of secret source outside of provisioning setup
Some checks failed
/ dev-shell (push) Successful in 46s
Details
/ terraform-providers (push) Successful in 51s
Details
/ check (push) Failing after 2m44s
Details
/ systems (push) Successful in 4m8s
Details
/ rust-packages (push) Successful in 52s
Details

Browse source 
itself
This commit is contained in:
Kaare Hoff Skovgaard 2025-08-04 22:02:47 +02:00
parent f0725c503f
commit eec5e02770
Signed by: khs
GPG key ID: C7D890804F01E9F0
4 changed files with 11 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

16
nix/modules/nixos/infrastructure/provisioning/default.nix
View file

@ -13,14 +13,6 @@ let
description = "Modules used to bring up the needed resources"; description = "Modules used to bring up the needed resources";
default = [ ]; default = [ ];
}; };
secretsSource = lib.mkOption {
type = lib.types.enum [
"vault"
"bitwarden"
];
description = "Where to get the secrets for the provisioning from";
default = "vault";
};
}; };
usesEndpoint = usesEndpoint =
search: endpoint: config: search: endpoint: config:
@ -82,6 +74,14 @@ in
options.khscodes.infrastructure.provisioning = { options.khscodes.infrastructure.provisioning = {
pre = provisioning; pre = provisioning;
post = provisioning; post = provisioning;
secretsSource = lib.mkOption {
type = lib.types.enum [
"vault"
"bitwarden"
];
description = "Where to get the secrets for the provisioning from";
default = "vault";
};
instanceUserData = lib.mkOption { instanceUserData = lib.mkOption {
type = (pkgs.formats.json { }).type; type = (pkgs.formats.json { }).type;
description = "User data that should be added to the instance during provisioning"; description = "User data that should be added to the instance during provisioning";

2
nix/packages/post-provisioning/default.nix
View file

@ -16,7 +16,7 @@ pkgs.writeShellApplication {
cmd="''${2:-apply}" cmd="''${2:-apply}"
baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning' baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning'
config="$(nix build --no-link --print-out-paths "''${baseAttr}.postConfig")" config="$(nix build --no-link --print-out-paths "''${baseAttr}.postConfig")"
secretsSource="$(nix eval --raw "''${baseAttr}.post.secretsSource")" secretsSource="$(nix eval --raw "''${baseAttr}.secretsSource")"
endpoints="$(nix eval --show-trace --json "''${baseAttr}.postEndpoints")" endpoints="$(nix eval --show-trace --json "''${baseAttr}.postEndpoints")"
if [[ "$config" == "null" ]]; then if [[ "$config" == "null" ]]; then
echo "No postprovisioning needed" echo "No postprovisioning needed"

2
nix/packages/pre-provisioning/default.nix
View file

@ -17,7 +17,7 @@ pkgs.writeShellApplication {
cmd="''${2:-apply}" cmd="''${2:-apply}"
baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning' baseAttr='${inputs.self}#nixosConfigurations."'"$hostname"'".config.khscodes.infrastructure.provisioning'
config="$(nix build --no-link --print-out-paths "''${baseAttr}.preConfig")" config="$(nix build --no-link --print-out-paths "''${baseAttr}.preConfig")"
secretsSource="$(nix eval --raw "''${baseAttr}.pre.secretsSource")" secretsSource="$(nix eval --raw "''${baseAttr}.secretsSource")"
endpoints="$(nix eval --show-trace --json "''${baseAttr}.preEndpoints")" endpoints="$(nix eval --show-trace --json "''${baseAttr}.preEndpoints")"
if [[ "$config" == "null" ]]; then if [[ "$config" == "null" ]]; then
echo "No preprovisioning needed" echo "No preprovisioning needed"

3
nix/systems/aarch64-linux/security.kaareskovgaard.net/default.nix
View file

@ -27,8 +27,7 @@ in
server_type = "cax11"; server_type = "cax11";
}; };
# Cannot use vault for secrets source, as this is the server containing vault. # Cannot use vault for secrets source, as this is the server containing vault.
khscodes.infrastructure.provisioning.pre.secretsSource = "bitwarden"; khscodes.infrastructure.provisioning.secretsSource = "bitwarden";
khscodes.infrastructure.provisioning.post.secretsSource = "bitwarden";
khscodes.infrastructure.vault-server-approle.stage = "post"; khscodes.infrastructure.vault-server-approle.stage = "post";
khscodes.networking.fqdn = "security.kaareskovgaard.net"; khscodes.networking.fqdn = "security.kaareskovgaard.net";
khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net"; khscodes.infrastructure.openbao.domain = "secrets.kaareskovgaard.net";