Update remaining services to secret contract (#358)
This commit is contained in:
parent
dfbb85dadb
commit
9ecbbde35a
5 changed files with 51 additions and 19 deletions
|
|
@ -77,9 +77,14 @@ in
|
|||
default = "audiobookshelf_user";
|
||||
};
|
||||
|
||||
ssoSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the SSO shared secret.";
|
||||
ssoSecret = lib.mkOption {
|
||||
description = "SSO shared secret.";
|
||||
type = lib.types.submodule {
|
||||
options = contracts.secret.mkRequester {
|
||||
owner = "audiobookshelf";
|
||||
restartUnits = [ "audiobookshelfd.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
|
|
@ -155,7 +160,7 @@ in
|
|||
{
|
||||
client_id = cfg.oidcClientID;
|
||||
client_name = "Audiobookshelf";
|
||||
client_secret.source = cfg.ssoSecretFile;
|
||||
client_secret.source = cfg.ssoSecret.result.path;
|
||||
public = false;
|
||||
authorization_policy = "one_factor";
|
||||
redirect_uris = [
|
||||
|
|
|
|||
|
|
@ -183,14 +183,24 @@ in
|
|||
});
|
||||
};
|
||||
|
||||
localclientPasswordFile = lib.mkOption {
|
||||
description = "File containing password for mandatory localclient user.";
|
||||
type = lib.types.path;
|
||||
localclientPassword = lib.mkOption {
|
||||
description = "Password for mandatory localclient user.";
|
||||
type = lib.types.submodule {
|
||||
options = contracts.secret.mkRequester {
|
||||
owner = "deluge";
|
||||
restartUnits = [ "deluged.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
prometheusScraperPasswordFile = lib.mkOption {
|
||||
description = "File containing password for prometheus scraper. Setting this option will activate the prometheus deluge exporter.";
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
prometheusScraperPassword = lib.mkOption {
|
||||
description = "Password for prometheus scraper. Setting this option will activate the prometheus deluge exporter.";
|
||||
type = lib.types.nullOr (lib.types.submodule {
|
||||
options = contracts.secret.mkRequester {
|
||||
owner = "deluge";
|
||||
restartUnits = [ "deluged.service" "prometheus.service" ];
|
||||
};
|
||||
});
|
||||
default = null;
|
||||
};
|
||||
|
||||
|
|
@ -327,9 +337,9 @@ in
|
|||
|
||||
systemd.services.deluged.preStart = lib.mkBefore (shblib.replaceSecrets {
|
||||
userConfig = cfg.extraUsers // {
|
||||
localclient.password.source = config.shb.deluge.localclientPasswordFile;
|
||||
} // (lib.optionalAttrs (config.shb.deluge.prometheusScraperPasswordFile != null) {
|
||||
prometheus_scraper.password.source = config.shb.deluge.prometheusScraperPasswordFile;
|
||||
localclient.password.source = config.shb.deluge.localclientPassword.result.path;
|
||||
} // (lib.optionalAttrs (config.shb.deluge.prometheusScraperPassword != null) {
|
||||
prometheus_scraper.password.source = config.shb.deluge.prometheusScraperPassword.result.path;
|
||||
});
|
||||
resultPath = "${cfg.dataDir}/.config/deluge/authTemplate";
|
||||
generator = name: value: pkgs.writeText "delugeAuth" (authGenerator value);
|
||||
|
|
@ -377,14 +387,14 @@ in
|
|||
];
|
||||
} {
|
||||
systemd.services.deluged.serviceConfig = cfg.extraServiceConfig;
|
||||
} (lib.mkIf (config.shb.deluge.prometheusScraperPasswordFile != null) {
|
||||
} (lib.mkIf (config.shb.deluge.prometheusScraperPassword != null) {
|
||||
services.prometheus.exporters.deluge = {
|
||||
enable = true;
|
||||
|
||||
delugeHost = "127.0.0.1";
|
||||
delugePort = config.services.deluge.config.daemon_port;
|
||||
delugeUser = "prometheus_scraper";
|
||||
delugePasswordFile = config.shb.deluge.prometheusScraperPasswordFile;
|
||||
delugePasswordFile = config.shb.deluge.prometheusScraperPassword.result.path;
|
||||
exportPerTorrentMetrics = true;
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -92,6 +92,9 @@ in
|
|||
|
||||
Enabling this app will create a new LDAP configuration or update one that exists with
|
||||
the given host.
|
||||
|
||||
Also, enabling LDAP will skip onboarding
|
||||
otherwise Home Assistant gets into a cyclic lock.
|
||||
'';
|
||||
default = {};
|
||||
type = lib.types.submodule {
|
||||
|
|
|
|||
|
|
@ -43,7 +43,12 @@ let
|
|||
sso = { config, ... }: {
|
||||
shb.audiobookshelf = {
|
||||
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
ssoSecretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
|
||||
ssoSecret.result = config.shb.hardcodedsecret.ssoSecret.result;
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.ssoSecret = {
|
||||
request = config.shb.audiobookshelf.ssoSecret.request;
|
||||
settings.content = "ssoSecret";
|
||||
};
|
||||
};
|
||||
in
|
||||
|
|
|
|||
|
|
@ -74,6 +74,7 @@ let
|
|||
'';
|
||||
|
||||
base = testLib.base pkgs' [
|
||||
../../modules/blocks/hardcodedsecret.nix
|
||||
../../modules/services/deluge.nix
|
||||
];
|
||||
|
||||
|
|
@ -90,13 +91,21 @@ let
|
|||
user.password.source = pkgs.writeText "userpw" "userpw";
|
||||
};
|
||||
|
||||
localclientPasswordFile = pkgs.writeText "localclientpw" "localclientpw";
|
||||
localclientPassword.result = config.shb.hardcodedsecret."localclientpassword".result;
|
||||
};
|
||||
shb.hardcodedsecret."localclientpassword" = {
|
||||
request = config.shb.deluge.localclientPassword.request;
|
||||
settings.content = "localpw";
|
||||
};
|
||||
};
|
||||
|
||||
prometheus = {
|
||||
prometheus = { config, ... }: {
|
||||
shb.deluge = {
|
||||
prometheusScraperPasswordFile = pkgs.writeText "prompw" "prompw";
|
||||
prometheusScraperPassword.result = config.shb.hardcodedsecret."scraper".result;
|
||||
};
|
||||
shb.hardcodedsecret."scraper" = {
|
||||
request = config.shb.deluge.prometheusScraperPassword.request;
|
||||
settings.content = "scraperpw";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue