diff --git a/CHANGELOG.md b/CHANGELOG.md index 4415a0f..826d3f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ Template: - Allow to upload big files in Immich. - Only enable php-fpm Prometheus exporter if Nextcloud is enabled. +- Fix pkgs overrides not being passed to users of SelfHostBlocks. ## Other Changes diff --git a/demo/homeassistant/flake.nix b/demo/homeassistant/flake.nix index 5e67887..6e9cf4b 100644 --- a/demo/homeassistant/flake.nix +++ b/demo/homeassistant/flake.nix @@ -15,11 +15,13 @@ let system = "x86_64-linux"; nixpkgs' = selfhostblocks.lib.${system}.patchedNixpkgs; - inherit (selfhostblocks.lib.${system}) pkgs; basic = { config, ... }: { + nixpkgs.overlays = [ + selfhostblocks.overlays.${system}.default + ]; imports = [ ./configuration.nix selfhostblocks.nixosModules.authelia @@ -105,7 +107,7 @@ in { nixosConfigurations = { - basic = pkgs.nixosSystem { + basic = nixpkgs'.nixosSystem { system = "x86_64-linux"; modules = [ basic @@ -113,7 +115,7 @@ ]; }; - ldap = pkgs.nixosSystem { + ldap = nixpkgs'.nixosSystem { system = "x86_64-linux"; modules = [ basic diff --git a/demo/minimal/flake.nix b/demo/minimal/flake.nix index 1921b2f..5bc7371 100644 --- a/demo/minimal/flake.nix +++ b/demo/minimal/flake.nix @@ -19,7 +19,7 @@ nixosConfigurations = let system = "x86_64-linux"; - shb = selfhostblocks.lib.${system}; + nixpkgs' = selfhostblocks.lib.${system}.patchedNixpkgs; # This module makes the assertions happy and the build succeed. # This is of course wrong and will not work on any real system. @@ -31,19 +31,29 @@ { # Test with: # nix build .#nixosConfigurations.minimal.config.system.build.toplevel - minimal = shb.pkgs.nixosSystem { + minimal = nixpkgs'.nixosSystem { inherit system; modules = [ selfhostblocks.nixosModules.default filesystemModule + { + nixpkgs.overlays = [ + selfhostblocks.overlays.${system}.default + ]; + } # This modules showcases the use of SHB's lib. ( - { config, lib, ... }: + { + config, + lib, + shb, + ... + }: { options.myOption = lib.mkOption { - # Using provided nixosSystem directly - # SHB's lib is available under `lib.shb`. - type = lib.shb.secretFileType; + # Using provided nixosSystem directly. + # SHB's lib is available under `shb` thanks to the overlay. + type = shb.secretFileType; }; config = { myOption.source = "/a/path"; @@ -58,21 +68,31 @@ # Test with: # nix build .#nixosConfigurations.sops.config.system.build.toplevel # nix eval .#nixosConfigurations.sops.config.myOption - sops = shb.pkgs.nixosSystem { + sops = nixpkgs'.nixosSystem { inherit system; modules = [ selfhostblocks.nixosModules.default selfhostblocks.nixosModules.sops sops-nix.nixosModules.default filesystemModule + { + nixpkgs.overlays = [ + selfhostblocks.overlays.${system}.default + ]; + } # This modules showcases the use of SHB's lib. ( - { config, lib, ... }: + { + config, + lib, + shb, + ... + }: { options.myOption = lib.mkOption { - # Using provided nixosSystem directly - # SHB's lib is available under `lib.shb`. - type = lib.shb.secretFileType; + # Using provided nixosSystem directly. + # SHB's lib is available under `shb` thanks to the overlay. + type = shb.secretFileType; }; config = { myOption.source = "/a/path"; @@ -84,8 +104,7 @@ ]; }; - # Note: this is just to show-off a common pitfall for more advanced user. - # Prefer using the `shb.pkgs.nixosSystem` function directly. + # This example shows how to import the nixosSystem patches to nixpkgs manually. # # Test with: # nix build .#nixosConfigurations.lowlevel.config.system.build.toplevel @@ -94,21 +113,83 @@ let # We must import nixosSystem directly from the patched nixpkgs # otherwise we do not get the patches. - nixosSystem' = import "${shb.patchedNixpkgs}/nixos/lib/eval-config.nix"; + nixosSystem' = import "${nixpkgs'}/nixos/lib/eval-config.nix"; in nixosSystem' { inherit system; modules = [ selfhostblocks.nixosModules.default filesystemModule + { + nixpkgs.overlays = [ + selfhostblocks.overlays.${system}.default + ]; + } # This modules showcases the use of SHB's lib. ( - { config, lib, ... }: + { + config, + lib, + shb, + ... + }: { options.myOption = lib.mkOption { - # lib.shb.secretFileType is not available here, - # so we must pass around the shb flake input. - # type = shb.secretFileType; + # Using provided nixosSystem directly. + # SHB's lib is available under `shb` thanks to the overlay. + type = shb.secretFileType; + }; + config = { + myOption.source = "/a/path"; + # Use the option. + environment.etc.myOption.text = config.myOption.source; + }; + } + ) + ]; + }; + + # This example shows how to apply patches to nixpkgs manually. + # + # Test with: + # nix build .#nixosConfigurations.manual.config.system.build.toplevel + # nix eval .#nixosConfigurations.manual.config.myOption + manual = + let + pkgs = import selfhostblocks.inputs.nixpkgs { + inherit system; + }; + nixpkgs' = pkgs.applyPatches { + name = "nixpkgs-patched"; + src = selfhostblocks.inputs.nixpkgs; + patches = selfhostblocks.lib.${system}.patches; + }; + # We must import nixosSystem directly from the patched nixpkgs + # otherwise we do not get the patches. + nixosSystem' = import "${nixpkgs'}/nixos/lib/eval-config.nix"; + in + nixosSystem' { + inherit system; + modules = [ + selfhostblocks.nixosModules.default + filesystemModule + { + nixpkgs.overlays = [ + selfhostblocks.overlays.${system}.default + ]; + } + # This modules showcases the use of SHB's lib. + ( + { + config, + lib, + shb, + ... + }: + { + options.myOption = lib.mkOption { + # Using provided nixosSystem directly. + # SHB's lib is available under `shb` thanks to the overlay. type = shb.secretFileType; }; config = { diff --git a/demo/nextcloud/flake.nix b/demo/nextcloud/flake.nix index f46ca01..ff5b24b 100644 --- a/demo/nextcloud/flake.nix +++ b/demo/nextcloud/flake.nix @@ -15,7 +15,6 @@ let system = "x86_64-linux"; nixpkgs' = selfhostblocks.lib.${system}.patchedNixpkgs; - inherit (selfhostblocks.lib.${system}) pkgs; basic = { config, ... }: @@ -178,14 +177,14 @@ in { nixosConfigurations = { - basic = pkgs.nixosSystem { + basic = nixpkgs'.nixosSystem { system = "x86_64-linux"; modules = [ sopsConfig basic ]; }; - ldap = pkgs.nixosSystem { + ldap = nixpkgs'.nixosSystem { system = "x86_64-linux"; modules = [ sopsConfig @@ -193,7 +192,7 @@ ldap ]; }; - sso = pkgs.nixosSystem { + sso = nixpkgs'.nixosSystem { system = "x86_64-linux"; modules = [ sopsConfig diff --git a/docs/contracts.md b/docs/contracts.md index 6a42a1a..dc7a2e9 100644 --- a/docs/contracts.md +++ b/docs/contracts.md @@ -445,7 +445,7 @@ A simplified test for a secret contract would look like the following. First, there is the generic test: ```nix -{ pkgs, lib, ... }: +{ pkgs, lib, shb, ... }: let inherit (lib) getAttrFromPath setAttrByPath; in @@ -455,7 +455,7 @@ in modules ? [], owner ? "root", content ? "secretPasswordA", - }: lib.shb.runNixOSTest { + }: shb.test.runNixOSTest { inherit name; nodes.machine = { config, ... }: { diff --git a/docs/redirects.json b/docs/redirects.json index 21bb1e4..e4e7c32 100644 --- a/docs/redirects.json +++ b/docs/redirects.json @@ -4385,9 +4385,6 @@ "usage-flake-tag": [ "usage.html#usage-flake-tag" ], - "usage-lib": [ - "usage.html#usage-lib" - ], "usage-secrets": [ "usage.html#usage-secrets" ] diff --git a/docs/service-implementation-guide.md b/docs/service-implementation-guide.md index c2d8025..2eac1c8 100644 --- a/docs/service-implementation-guide.md +++ b/docs/service-implementation-guide.md @@ -295,12 +295,12 @@ let in { # Test variants (all 6 required) - basic = lib.shb.runNixOSTest { ... }; - backup = lib.shb.runNixOSTest { ... }; - https = lib.shb.runNixOSTest { ... }; - ldap = lib.shb.runNixOSTest { ... }; - monitoring = lib.shb.runNixOSTest { ... }; - sso = lib.shb.runNixOSTest { ... }; + basic = lib.shb.test.runNixOSTest { ... }; + backup = lib.shb.test.runNixOSTest { ... }; + https = lib.shb.test.runNixOSTest { ... }; + ldap = lib.shb.test.runNixOSTest { ... }; + monitoring = lib.shb.test.runNixOSTest { ... }; + sso = lib.shb.test.runNixOSTest { ... }; } ``` diff --git a/docs/usage.md b/docs/usage.md index 0b5048e..2ebac3b 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -4,11 +4,6 @@ ## Flake {#usage-flake} -::: {.note} -A complete minimal and buildable example can be found at -[`./demo/minimal/flake.nix`](@REPO@/demo/minimal/flake.nix). -::: - Self Host Blocks is available as a flake. It also uses its own `pkgs.lib` and `nixpkgs` and it is required to use the provided ones as input for your deployments, otherwise you might end up blocked when Self Host Blocks patches a @@ -35,6 +30,13 @@ Host Blocks: } ``` +::: {.note} +For seasoned nixers or if you want to add your patches and overlays, +SHB provides a decomposed version of the `nixosSystem` function above. +For more examples, see the buildable examples at +[`./demo/minimal/flake.nix`](@REPO@/demo/minimal/flake.nix). +::: + If you use `sops-nix` for secrets, SHB provides an additional module, not imported in the `default` module. It can be added by importing @@ -43,32 +45,6 @@ inputs.sops-nix.nixosModules.default inputs.selfhostblocks.nixosModules.sops ``` -### SHB Lib {#usage-flake-lib} - -Providing patches to downstream users is finicky, to say the least. For example, -using `selfhostblocks.inputs.nixpkgs` directly will _not_ work. So Self Host -Blocks provides a few attributes under the `selfhostblocks.lib.${system}` flake -output: - -- At the top-level, all functions defined by SHB under - [`./lib/default.nix`](@REPO@/lib/default.nix) and - [`./test/common.nix`](@REPO@/test/common.nix). -- `patches`: the list of patches applied by SHB [`./patches`](@REPO@/patches) to - nixpkgs. -- `contracts`: all contract modules. -- `patchNixpkgs`: a re-export of `nixpkgs.legacyPackages.${system}.applyPatches` - with the arguments made a bit more explicit. -- `patchedNixpkgs`: nixpkgs with `patches` applied. -- `pkgs`: `nixpkgs.legacyPackages.${system}` with `patches` applied and also: - - `config.allowUnfree` set to `true` - - `lib.shb` holds functions defined by - [`./lib/default.nix`](@REPO@/lib/default.nix) - - `lib.evalModules` is patched to include patches provided by nixpkgs - - `nixosSystem` is patched to include patches provided by nixpkgs - -For normal usage, one should only need the provided `.nixosSystem`, `.pkgs` and -in some cases `.nixpkgs`. - ### Substituter {#usage-flake-substituter} You can also use the public cache as a substituter with: @@ -104,9 +80,11 @@ automatically merging the new `nixpkgs` version. The setup is explained in [repo]: https://github.com/ibizaman/selfhostblocks [automerge]: https://blog.tiserbox.com/posts/2023-12-25-automated-flake-lock-update-pull-requests-and-merging.html -### Use SelfHostBlocks' lib {#usage-lib} +### SHB Lib {#usage-flake-lib} -Access any functions exposed by the [lib][lib] with this snippet: +Providing patches to downstream users is finicky, to say the least. +For example, using `selfhostblocks.inputs.nixpkgs` directly will _not_ work. +So Self Host Blocks provides a few attributes under the `selfhostblocks.lib.${system}` flake output: ```nix { @@ -115,15 +93,32 @@ Access any functions exposed by the [lib][lib] with this snippet: }; outputs = { selfhostblocks, ... }: let - lib = selfhostblocks.lib.${system}; + shb = selfhostblocks.lib.${system}; in { - // Use lib.shb.replaceSecrets for example. + // Use shb.replaceSecrets for example. } } ``` -[lib]: https://github.com/ibizaman/selfhostblocks/blob/main/lib/default.nix +- At the top-level, all functions defined by SHB under + [`./lib/default.nix`](@REPO@/lib/default.nix) and + [`./test/common.nix`](@REPO@/test/common.nix). +- `patches`: the list of patches applied by SHB [`./patches`](@REPO@/patches) to + nixpkgs. +- `contracts`: all contract modules. +- `patchNixpkgs`: a re-export of `nixpkgs.legacyPackages.${system}.applyPatches` + with the arguments made a bit more explicit. +- `patchedNixpkgs`: nixpkgs with `patches` applied. +- `pkgs`: `nixpkgs.legacyPackages.${system}` with `patches` applied and also: + - `config.allowUnfree` set to `true` + - `lib.shb` holds functions defined by + [`./lib/default.nix`](@REPO@/lib/default.nix) + - `lib.evalModules` is patched to include patches provided by nixpkgs + - `nixosSystem` is patched to include patches provided by nixpkgs + +For normal usage, one should only need the provided `.nixosSystem`, `.pkgs` and +in some cases `.nixpkgs`. ## Example Deployment with Nixos-Rebuild {#usage-example-nixosrebuild} @@ -138,19 +133,13 @@ deployment system [nixos-rebuild][nixos-rebuild]. selfhostblocks.url = "github:ibizaman/selfhostblocks"; }; - outputs = { - self, - selfhostblocks, - }: let + outputs = { self, selfhostblocks }: let system = "x86_64-linux"; - lib = selfhostblocks.lib.${system}; - nixpkgs' = lib.shb.patchedNixpkgs; - - nixosSystem' = import "${nixpkgs'}/nixos/lib/eval-config.nix"; + pkgs' = selfhostblocks.lib.${system}.pkgs; in { nixosConfigurations = { - machine = nixosSystem' { + machine = pkgs'.nixosSystem { inherit system; modules = [ selfhostblocks.nixosModules.default diff --git a/flake.nix b/flake.nix index ac392b7..75ef4a1 100644 --- a/flake.nix +++ b/flake.nix @@ -46,46 +46,23 @@ src = nixpkgs; inherit patches; }; - patchedNixpkgs = ( - patchNixpkgs { - nixpkgs = inputs.nixpkgs; - patches = shbPatches; - inherit system; - } - ); + patchedNixpkgs = + let + patched = patchNixpkgs { + nixpkgs = inputs.nixpkgs; + patches = shbPatches; + inherit system; + }; + in + patched + // { + nixosSystem = args: import "${patched}/nixos/lib/eval-config.nix" args; + }; pkgs = import patchedNixpkgs { inherit system; config.allowUnfree = true; overlays = [ - (final: prev: { - lib = prev.lib // { - shb = self.lib.${system}; - evalModules = - args: - ((prev.lib.makeOverridable prev.lib.evalModules) args).override (prevAttrs: { - specialArgs = (prevAttrs.specialArgs or { }) // { - inherit (pkgs) lib; - }; - }); - }; - nixosSystem = - args: - ((prev.lib.makeOverridable (import "${patchedNixpkgs}/nixos/lib/eval-config.nix")) args).override - (prevAttrs: { - inherit (pkgs) lib; - }); - prometheus-systemd-exporter = prev.prometheus-systemd-exporter.overrideAttrs { - src = pkgs.fetchFromGitHub { - owner = "ibizaman"; - repo = prev.prometheus-systemd-exporter.pname; - # rev = "v${prev.prometheus-systemd-exporter.version}"; - rev = "next_timer"; - sha256 = "sha256-jzkh/616tsJbNxFtZ0xbdBQc16TMIYr9QOkPaeQw8xA="; - }; - - vendorHash = "sha256-4hsQ1417jLNOAqGkfCkzrmEtYR4YLLW2j0CiJtPg6GI="; - }; - }) + self.overlays.${system}.default ]; }; @@ -231,26 +208,47 @@ ''; }); - lib = - (pkgs.callPackage ./lib { }) - // (pkgs.callPackage ./test/common.nix { }) - // { - contracts = pkgs.callPackage ./modules/contracts { }; - patches = shbPatches; - inherit patchNixpkgs patchedNixpkgs pkgs; + lib = (pkgs.callPackage ./lib { }) // { + test = pkgs.callPackage ./test/common.nix { }; + contracts = pkgs.callPackage ./modules/contracts { + shb = self.lib.${system}; }; + patches = shbPatches; + inherit patchNixpkgs patchedNixpkgs; + }; + + overlays.default = final: prev: { + # shb = self.nixosModules.lib; + prometheus-systemd-exporter = prev.prometheus-systemd-exporter.overrideAttrs { + src = pkgs.fetchFromGitHub { + owner = "ibizaman"; + repo = prev.prometheus-systemd-exporter.pname; + # rev = "v${prev.prometheus-systemd-exporter.version}"; + rev = "next_timer"; + sha256 = "sha256-jzkh/616tsJbNxFtZ0xbdBQc16TMIYr9QOkPaeQw8xA="; + }; + + vendorHash = "sha256-4hsQ1417jLNOAqGkfCkzrmEtYR4YLLW2j0CiJtPg6GI="; + }; + }; checks = let inherit (pkgs.lib) foldl foldlAttrs - removeAttrs mergeAttrs optionalAttrs ; - importFiles = files: map (m: pkgs.callPackage m { }) files; + importFiles = + files: + map ( + m: + pkgs.callPackage m { + shb = self.lib.${system}; + } + ) files; mergeTests = foldl mergeAttrs { }; @@ -267,15 +265,19 @@ vm_test = name: path: flattenAttrs "vm_${name}" ( - removeAttrs (pkgs.callPackage path { }) [ - "override" - "overrideDerivation" - ] + removeAttrs + (pkgs.callPackage path { + shb = self.lib.${system}; + }) + [ + "override" + "overrideDerivation" + ] ); in (optionalAttrs (system == "x86_64-linux") ( { - modules = pkgs.lib.shb.check { + modules = self.lib.${system}.check { inherit pkgs; tests = mergeTests (importFiles [ ./test/modules/davfs.nix @@ -287,7 +289,9 @@ # TODO: Make this not use IFD lib = nix-flake-tests.lib.check { inherit pkgs; - tests = pkgs.callPackage ./test/modules/lib.nix { }; + tests = pkgs.callPackage ./test/modules/lib.nix { + shb = self.lib.${system}; + }; }; } // (vm_test "arr" ./test/services/arr.nix) @@ -416,6 +420,8 @@ ]; }; + nixosModules.lib = lib/module.nix; + nixosModules.authelia = modules/blocks/authelia.nix; nixosModules.borgbackup = modules/blocks/borgbackup.nix; nixosModules.davfs = modules/blocks/davfs.nix; diff --git a/lib/module.nix b/lib/module.nix new file mode 100644 index 0000000..3a27bbe --- /dev/null +++ b/lib/module.nix @@ -0,0 +1,10 @@ +{ pkgs, lib, ... }: +let + shb = (import ./default.nix { inherit pkgs lib; }); +in +{ + _module.args.shb = shb // { + test = pkgs.callPackage ../test/common.nix { }; + contracts = pkgs.callPackage ../modules/contracts { inherit shb; }; + }; +} diff --git a/modules/blocks/authelia.nix b/modules/blocks/authelia.nix index 6b3775a..44e1ca6 100644 --- a/modules/blocks/authelia.nix +++ b/modules/blocks/authelia.nix @@ -3,6 +3,7 @@ options, pkgs, lib, + shb, ... }: @@ -10,8 +11,6 @@ let cfg = config.shb.authelia; opt = options.shb.authelia; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; fqdnWithPort = if isNull cfg.port then fqdn else "${fqdn}:${toString cfg.port}"; @@ -23,6 +22,7 @@ let in { imports = [ + ../../lib/module.nix ./lldap.nix ./mitmdump.nix ./postgresql.nix @@ -51,7 +51,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -86,7 +86,7 @@ in jwtSecret = lib.mkOption { description = "JWT secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ]; @@ -96,7 +96,7 @@ in ldapAdminPassword = lib.mkOption { description = "LDAP admin user password."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ]; @@ -106,7 +106,7 @@ in sessionSecret = lib.mkOption { description = "Session secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ]; @@ -116,7 +116,7 @@ in storageEncryptionKey = lib.mkOption { description = "Storage encryption key."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ]; @@ -126,7 +126,7 @@ in identityProvidersOIDCHMACSecret = lib.mkOption { description = "Identity provider OIDC HMAC secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ]; @@ -140,7 +140,7 @@ in Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048` ''; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ]; @@ -204,7 +204,7 @@ in }; client_secret = lib.mkOption { - type = lib.shb.secretFileType; + type = shb.secretFileType; description = '' File containing the shared secret with the OIDC client. @@ -311,7 +311,7 @@ in password = lib.mkOption { description = "File containing the password to connect to the SMTP host."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = cfg.autheliaUser; restartUnits = [ "authelia-${fqdn}" ]; @@ -331,7 +331,7 @@ in }; mount = lib.mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration. This is an output option. @@ -354,7 +354,7 @@ in }; mountRedis = lib.mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration for Redis. This is an output option. @@ -554,12 +554,12 @@ in let mkCfg = clients: - lib.shb.replaceSecrets { + shb.replaceSecrets { userConfig = { identity_providers.oidc.clients = clients; }; resultPath = "/var/lib/authelia-${fqdn}/oidc_clients.yaml"; - generator = lib.shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { }); + generator = shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { }); }; in lib.mkBefore ( diff --git a/modules/blocks/borgbackup.nix b/modules/blocks/borgbackup.nix index 30ca348..a7548d1 100644 --- a/modules/blocks/borgbackup.nix +++ b/modules/blocks/borgbackup.nix @@ -3,14 +3,13 @@ pkgs, lib, utils, + shb, ... }: let cfg = config.shb.borgbackup; - contracts = pkgs.callPackage ../contracts { }; - inherit (lib) concatStringsSep filterAttrs @@ -56,7 +55,7 @@ let passphrase = lib.mkOption { description = "Encryption key for the backup repository."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = config.request.user; ownerText = "[shb.borgbackup.${prefix}..request.user](#blocks-borgbackup-options-shb.borgbackup.${prefix}._name_.request.user)"; @@ -76,7 +75,7 @@ let }; secrets = mkOption { - type = attrsOf lib.shb.secretFileType; + type = attrsOf shb.secretFileType; default = { }; description = '' Secrets needed to access the repository where the backups will be stored. @@ -157,15 +156,19 @@ let fullName = name: repository: "borgbackup-job-${name}_${repoSlugName repository.path}"; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.borgbackup = { instances = mkOption { - description = "Files to backup following the [backup contract](./contracts-backup.html)."; + description = "Files to backup following the [backup contract](./shb.contracts-backup.html)."; default = { }; type = attrsOf ( submodule ( { name, config, ... }: { - options = contracts.backup.mkProvider { + options = shb.contracts.backup.mkProvider { settings = mkOption { description = '' Settings specific to the BorgBackup provider. @@ -193,13 +196,13 @@ in }; databases = mkOption { - description = "Databases to backup following the [database backup contract](./contracts-databasebackup.html)."; + description = "Databases to backup following the [database backup contract](./shb.contracts-databasebackup.html)."; default = { }; type = attrsOf ( submodule ( { name, config, ... }: { - options = contracts.databasebackup.mkProvider { + options = shb.contracts.databasebackup.mkProvider { settings = mkOption { description = '' Settings specific to the BorgBackup provider. @@ -397,10 +400,10 @@ in "${serviceName}-pre" = mkIf (instance.settings.repository.secrets != { }) ( let - script = lib.shb.genConfigOutOfBandSystemd { + script = shb.genConfigOutOfBandSystemd { config = instance.settings.repository.secrets; configLocation = "/run/secrets_borgbackup/${serviceName}"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; user = instance.request.user; }; in @@ -424,13 +427,13 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; script = ( - lib.shb.replaceSecrets { + shb.replaceSecrets { userConfig = instance.settings.repository.secrets // { BORG_PASSCOMMAND = ''"cat ${instance.settings.passphrase.result.path}"''; BORG_REPO = instance.settings.repository.path; }; resultPath = "/run/secrets_borgbackup_env/${fullName name instance.settings.repository}"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; user = instance.request.user; } ); diff --git a/modules/blocks/borgbackup/docs/default.md b/modules/blocks/borgbackup/docs/default.md index b7f449e..21b7702 100644 --- a/modules/blocks/borgbackup/docs/default.md +++ b/modules/blocks/borgbackup/docs/default.md @@ -118,7 +118,7 @@ Here we will only highlight the differences with the previous configuration. This assumes you have access to such a remote S3 store, for example by using [Backblaze](https://www.backblaze.com/). ```diff - shb.backup.instances.myservice = { + shb.test.backup.instances.myservice = { repository = { - path = "/srv/pool1/backups/myfolder"; @@ -211,15 +211,15 @@ backupcfg = repositories: name: sourceDirectories { Now, we can define multiple backup jobs to backup different folders: ```nix -shb.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"]; -shb.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"]; +shb.test.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"]; +shb.test.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"]; ``` The difference between the above snippet and putting all the folders into one configuration (shown below) is the former splits the backups into sub-folders on the repositories. ```nix -shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"]; +shb.test.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"]; ``` ## Monitoring {#blocks-borgbackup-monitoring} diff --git a/modules/blocks/hardcodedsecret.nix b/modules/blocks/hardcodedsecret.nix index cfbe68a..41715f8 100644 --- a/modules/blocks/hardcodedsecret.nix +++ b/modules/blocks/hardcodedsecret.nix @@ -2,13 +2,12 @@ config, lib, pkgs, + shb, ... }: let cfg = config.shb.hardcodedsecret; - contracts = pkgs.callPackage ../contracts { }; - inherit (lib) mapAttrs' mkOption nameValuePair; inherit (lib.types) attrsOf @@ -19,6 +18,10 @@ let inherit (pkgs) writeText; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.hardcodedsecret = mkOption { default = { }; description = '' @@ -40,7 +43,7 @@ in submodule ( { name, ... }: { - options = contracts.secret.mkProvider { + options = shb.contracts.secret.mkProvider { settings = mkOption { description = '' Settings specific to the hardcoded secret module. diff --git a/modules/blocks/lldap.nix b/modules/blocks/lldap.nix index fffff9a..15170d5 100644 --- a/modules/blocks/lldap.nix +++ b/modules/blocks/lldap.nix @@ -2,14 +2,13 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.lldap; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; inherit (lib) mkOption types; @@ -54,6 +53,7 @@ let in { imports = [ + ../../lib/module.nix ./mitmdump.nix (lib.mkRenamedOptionModule [ "shb" "ldap" ] [ "shb" "lldap" ]) @@ -88,7 +88,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -101,7 +101,7 @@ in ldapUserPassword = lib.mkOption { description = "LDAP admin user secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "lldap"; group = "lldap"; @@ -113,7 +113,7 @@ in jwtSecret = lib.mkOption { description = "JWT secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "lldap"; group = "lldap"; @@ -136,7 +136,7 @@ in }; mount = lib.mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration. This is an output option. @@ -160,7 +160,7 @@ in Backup configuration. ''; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { # TODO: is there a workaround that avoid needing to use root? # root because otherwise we cannot access the private StateDiretory user = "root"; @@ -203,7 +203,7 @@ in password = mkOption { description = "Password."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "lldap"; group = "lldap"; diff --git a/modules/blocks/monitoring.nix b/modules/blocks/monitoring.nix index 2c662ab..a1c5cc5 100644 --- a/modules/blocks/monitoring.nix +++ b/modules/blocks/monitoring.nix @@ -2,14 +2,13 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.monitoring; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; commonLabels = { @@ -49,7 +48,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -112,7 +111,7 @@ in adminPassword = lib.mkOption { description = "Initial admin password."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "grafana"; group = "grafana"; @@ -124,7 +123,7 @@ in secretKey = lib.mkOption { description = "Secret key used for signing."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "grafana"; group = "grafana"; @@ -226,7 +225,7 @@ in sharedSecret = lib.mkOption { description = "OIDC shared secret for Grafana."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "grafana"; restartUnits = [ "grafana.service" @@ -238,7 +237,7 @@ in sharedSecretForAuthelia = lib.mkOption { description = "OIDC shared secret for Authelia. Must be the same as `sharedSecret`"; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; ownerText = "config.shb.authelia.autheliaUser"; owner = config.shb.authelia.autheliaUser; diff --git a/modules/blocks/nginx.nix b/modules/blocks/nginx.nix index bdc9fb0..a648869 100644 --- a/modules/blocks/nginx.nix +++ b/modules/blocks/nginx.nix @@ -1,15 +1,13 @@ { config, - pkgs, lib, + shb, ... }: let cfg = config.shb.nginx; - contracts = pkgs.callPackage ../contracts { }; - fqdn = c: "${c.subdomain}.${c.domain}"; vhostConfig = lib.types.submodule { @@ -28,7 +26,7 @@ let ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; diff --git a/modules/blocks/postgresql.nix b/modules/blocks/postgresql.nix index 9e5f47a..7a1a558 100644 --- a/modules/blocks/postgresql.nix +++ b/modules/blocks/postgresql.nix @@ -2,11 +2,11 @@ config, lib, pkgs, + shb, ... }: let cfg = config.shb.postgresql; - contracts = pkgs.callPackage ../contracts { }; upgrade-script = old: new: @@ -39,6 +39,10 @@ let ''; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.postgresql = { debug = lib.mkOption { type = lib.types.bool; @@ -63,7 +67,7 @@ in default = { }; type = lib.types.submodule { - options = contracts.databasebackup.mkRequester { + options = shb.contracts.databasebackup.mkRequester { user = "postgres"; backupName = "postgres.sql"; diff --git a/modules/blocks/restic.nix b/modules/blocks/restic.nix index 5296725..4a17eb4 100644 --- a/modules/blocks/restic.nix +++ b/modules/blocks/restic.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + shb, utils, ... }: @@ -9,8 +10,6 @@ let cfg = config.shb.restic; - contracts = pkgs.callPackage ../contracts { }; - inherit (lib) concatStringsSep filterAttrs @@ -60,7 +59,7 @@ let passphrase = lib.mkOption { description = "Encryption key for the backup repository."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = config.request.user; ownerText = "[shb.restic.${prefix}..request.user](#blocks-restic-options-shb.restic.${prefix}._name_.request.user)"; @@ -80,7 +79,7 @@ let }; secrets = mkOption { - type = attrsOf lib.shb.secretFileType; + type = attrsOf shb.secretFileType; default = { }; description = '' Secrets needed to access the repository where the backups will be stored. @@ -148,15 +147,19 @@ let fullName = name: repository: "restic-backups-${name}_${repoSlugName repository.path}"; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.restic = { instances = mkOption { - description = "Files to backup following the [backup contract](./contracts-backup.html)."; + description = "Files to backup following the [backup contract](./shb.contracts-backup.html)."; default = { }; type = attrsOf ( submodule ( { name, config, ... }: { - options = contracts.backup.mkProvider { + options = shb.contracts.backup.mkProvider { settings = mkOption { description = '' Settings specific to the Restic provider. @@ -184,13 +187,13 @@ in }; databases = mkOption { - description = "Databases to backup following the [database backup contract](./contracts-databasebackup.html)."; + description = "Databases to backup following the [database backup contract](./shb.contracts-databasebackup.html)."; default = { }; type = attrsOf ( submodule ( { name, config, ... }: { - options = contracts.databasebackup.mkProvider { + options = shb.contracts.databasebackup.mkProvider { settings = mkOption { description = '' Settings specific to the Restic provider. @@ -380,10 +383,10 @@ in "${serviceName}-pre" = mkIf (instance.settings.repository.secrets != { }) ( let - script = lib.shb.genConfigOutOfBandSystemd { + script = shb.genConfigOutOfBandSystemd { config = instance.settings.repository.secrets; configLocation = "/run/secrets_restic/${serviceName}"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; user = instance.request.user; }; in @@ -407,13 +410,13 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; script = ( - lib.shb.replaceSecrets { + shb.replaceSecrets { userConfig = instance.settings.repository.secrets // { RESTIC_PASSWORD_FILE = toString instance.settings.passphrase.result.path; RESTIC_REPOSITORY = instance.settings.repository.path; }; resultPath = "/run/secrets_restic_env/${fullName name instance.settings.repository}"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; user = instance.request.user; } ); diff --git a/modules/blocks/restic/docs/default.md b/modules/blocks/restic/docs/default.md index 36427ab..e70ce44 100644 --- a/modules/blocks/restic/docs/default.md +++ b/modules/blocks/restic/docs/default.md @@ -118,7 +118,7 @@ Here we will only highlight the differences with the previous configuration. This assumes you have access to such a remote S3 store, for example by using [Backblaze](https://www.backblaze.com/). ```diff - shb.backup.instances.myservice = { + shb.test.backup.instances.myservice = { repository = { - path = "/srv/pool1/backups/myfolder"; @@ -211,15 +211,15 @@ backupcfg = repositories: name: sourceDirectories { Now, we can define multiple backup jobs to backup different folders: ```nix -shb.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"]; -shb.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"]; +shb.test.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"]; +shb.test.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"]; ``` The difference between the above snippet and putting all the folders into one configuration (shown below) is the former splits the backups into sub-folders on the repositories. ```nix -shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"]; +shb.test.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"]; ``` ## Monitoring {#blocks-restic-monitoring} diff --git a/modules/blocks/sops.nix b/modules/blocks/sops.nix index 1d7d733..f54e1d0 100644 --- a/modules/blocks/sops.nix +++ b/modules/blocks/sops.nix @@ -1,18 +1,20 @@ { config, lib, - pkgs, + shb, ... }: let inherit (lib) mapAttrs mkOption; inherit (lib.types) attrsOf anything submodule; - contracts = pkgs.callPackage ../contracts { }; - cfg = config.shb.sops; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.sops = { secret = mkOption { description = "Secret following the [secret contract](./contracts-secret.html)."; @@ -21,7 +23,7 @@ in submodule ( { name, options, ... }: { - options = contracts.secret.mkProvider { + options = shb.contracts.secret.mkProvider { settings = mkOption { description = '' Settings specific to the Sops provider. diff --git a/modules/blocks/ssl.nix b/modules/blocks/ssl.nix index 7e09dca..7bf7bfb 100644 --- a/modules/blocks/ssl.nix +++ b/modules/blocks/ssl.nix @@ -2,14 +2,13 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.certs; - contracts = pkgs.callPackage ../contracts { }; - inherit (builtins) dirOf; inherit (lib) flatten @@ -20,6 +19,10 @@ let ; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.certs = { systemdService = lib.mkOption { description = '' @@ -51,7 +54,7 @@ in This option implements the SSL Generator contract. ''; - type = contracts.ssl.certs-paths; + type = shb.contracts.ssl.certs-paths; default = { key = "/var/lib/certs/cas/${config._module.args.name}.key"; cert = "/var/lib/certs/cas/${config._module.args.name}.cert"; @@ -81,7 +84,7 @@ in { options = { ca = lib.mkOption { - type = lib.types.nullOr contracts.ssl.cas; + type = lib.types.nullOr shb.contracts.ssl.cas; description = '' CA used to generate this certificate. Only used for self-signed. @@ -128,7 +131,7 @@ in This option implements the SSL Generator contract. ''; - type = contracts.ssl.certs-paths; + type = shb.contracts.ssl.certs-paths; default = { key = "/var/lib/certs/selfsigned/${config._module.args.name}.key"; cert = "/var/lib/certs/selfsigned/${config._module.args.name}.cert"; @@ -196,7 +199,7 @@ in This option implements the SSL Generator contract. ''; - type = contracts.ssl.certs-paths; + type = shb.contracts.ssl.certs-paths; default = { key = "/var/lib/acme/${config._module.args.name}/key.pem"; cert = "/var/lib/acme/${config._module.args.name}/cert.pem"; diff --git a/modules/contracts/backup.nix b/modules/contracts/backup.nix index bd3a7ac..454fb86 100644 --- a/modules/contracts/backup.nix +++ b/modules/contracts/backup.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, shb, ... }: let inherit (lib) concatStringsSep @@ -13,7 +13,7 @@ let submodule str ; - inherit (lib.shb) anyNotNull; + inherit (shb) anyNotNull; in { mkRequest = diff --git a/modules/contracts/backup/dummyModule.nix b/modules/contracts/backup/dummyModule.nix index 95ab466..b981b41 100644 --- a/modules/contracts/backup/dummyModule.nix +++ b/modules/contracts/backup/dummyModule.nix @@ -1,11 +1,13 @@ -{ pkgs, lib, ... }: +{ lib, shb, ... }: let - contracts = pkgs.callPackage ../. { }; - inherit (lib) mkOption; inherit (lib.types) submodule; in { + imports = [ + ../../../lib/module.nix + ]; + options.shb.contracts.backup = mkOption { description = '' Contract for backing up files @@ -23,7 +25,7 @@ in ''; type = submodule { - options = contracts.backup.contract; + options = shb.contracts.backup.contract; }; }; } diff --git a/modules/contracts/backup/test.nix b/modules/contracts/backup/test.nix index 28deaee..8514836 100644 --- a/modules/contracts/backup/test.nix +++ b/modules/contracts/backup/test.nix @@ -1,4 +1,8 @@ -{ pkgs, lib }: +{ + pkgs, + lib, + shb, +}: let inherit (lib) concatMapStringsSep @@ -20,13 +24,13 @@ in settings, # { repository, config } -> attrset extraConfig ? null, # { username, config } -> attrset }: -lib.shb.runNixOSTest { +shb.test.runNixOSTest { inherit name; nodes.machine = { config, ... }: { - imports = [ lib.shb.baseImports ] ++ modules; + imports = [ shb.test.baseImports ] ++ modules; config = lib.mkMerge [ (setAttrByPath providerRoot { diff --git a/modules/contracts/databasebackup.nix b/modules/contracts/databasebackup.nix index 298da2a..7da4f80 100644 --- a/modules/contracts/databasebackup.nix +++ b/modules/contracts/databasebackup.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, shb, ... }: let inherit (lib) mkOption @@ -8,7 +8,7 @@ let optionalString ; inherit (lib.types) submodule str; - inherit (lib.shb) anyNotNull; + inherit (shb) anyNotNull; in { mkRequest = diff --git a/modules/contracts/databasebackup/dummyModule.nix b/modules/contracts/databasebackup/dummyModule.nix index 2ce18ae..3a9e26c 100644 --- a/modules/contracts/databasebackup/dummyModule.nix +++ b/modules/contracts/databasebackup/dummyModule.nix @@ -1,11 +1,13 @@ -{ pkgs, lib, ... }: +{ lib, shb, ... }: let - contracts = pkgs.callPackage ../. { }; - inherit (lib) mkOption; inherit (lib.types) submodule; in { + imports = [ + ../../../lib/module.nix + ]; + options.shb.contracts.databasebackup = mkOption { description = '' Contract for database backup between a requester module @@ -23,7 +25,7 @@ in ''; type = submodule { - options = contracts.databasebackup.contract; + options = shb.contracts.databasebackup.contract; }; }; } diff --git a/modules/contracts/databasebackup/test.nix b/modules/contracts/databasebackup/test.nix index 53f41a0..a2b814b 100644 --- a/modules/contracts/databasebackup/test.nix +++ b/modules/contracts/databasebackup/test.nix @@ -1,4 +1,8 @@ -{ pkgs, lib }: +{ + pkgs, + lib, + shb, +}: let inherit (lib) getAttrFromPath @@ -16,13 +20,13 @@ in database ? "me", settings, # { repository, config } -> attrset }: -lib.shb.runNixOSTest { +shb.test.runNixOSTest { inherit name; nodes.machine = { config, ... }: { - imports = [ lib.shb.baseImports ] ++ modules; + imports = [ shb.test.baseImports ] ++ modules; config = lib.mkMerge [ (setAttrByPath providerRoot { request = (getAttrFromPath requesterRoot config).request; diff --git a/modules/contracts/default.nix b/modules/contracts/default.nix index 278a81c..e9964a8 100644 --- a/modules/contracts/default.nix +++ b/modules/contracts/default.nix @@ -1,4 +1,8 @@ -{ pkgs, lib }: +{ + pkgs, + lib, + shb, +}: let inherit (lib) mkOption optionalAttrs; inherit (lib.types) anything; @@ -44,7 +48,7 @@ let importContract = module: let - importedModule = pkgs.callPackage module { }; + importedModule = pkgs.callPackage module { inherit shb; }; in mkContractFunctions { inherit (importedModule) mkRequest mkResult; @@ -57,8 +61,8 @@ in secret = importContract ./secret.nix; ssl = pkgs.callPackage ./ssl.nix { }; test = { - secret = pkgs.callPackage ./secret/test.nix { }; - databasebackup = pkgs.callPackage ./databasebackup/test.nix { }; - backup = pkgs.callPackage ./backup/test.nix { }; + secret = pkgs.callPackage ./secret/test.nix { inherit shb; }; + databasebackup = pkgs.callPackage ./databasebackup/test.nix { inherit shb; }; + backup = pkgs.callPackage ./backup/test.nix { inherit shb; }; }; } diff --git a/modules/contracts/secret.nix b/modules/contracts/secret.nix index 28cfd79..8d02c78 100644 --- a/modules/contracts/secret.nix +++ b/modules/contracts/secret.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, shb, ... }: let inherit (lib) concatStringsSep @@ -8,7 +8,7 @@ let optionalString ; inherit (lib.types) listOf submodule str; - inherit (lib.shb) anyNotNull; + inherit (shb) anyNotNull; in { mkRequest = diff --git a/modules/contracts/secret/dummyModule.nix b/modules/contracts/secret/dummyModule.nix index bc0162e..a379c29 100644 --- a/modules/contracts/secret/dummyModule.nix +++ b/modules/contracts/secret/dummyModule.nix @@ -1,11 +1,13 @@ -{ pkgs, lib, ... }: +{ lib, shb, ... }: let - contracts = pkgs.callPackage ../. { }; - inherit (lib) mkOption; inherit (lib.types) submodule; in { + imports = [ + ../../../lib/module.nix + ]; + options.shb.contracts.secret = mkOption { description = '' Contract for secrets between a requester module @@ -21,7 +23,7 @@ in through the `result.*` options. ''; type = submodule { - options = contracts.secret.contract; + options = shb.contracts.secret.contract; }; }; } diff --git a/modules/contracts/secret/test.nix b/modules/contracts/secret/test.nix index 40ccc50..246323f 100644 --- a/modules/contracts/secret/test.nix +++ b/modules/contracts/secret/test.nix @@ -1,4 +1,8 @@ -{ pkgs, lib }: +{ + pkgs, + lib, + shb, +}: let inherit (lib) getAttrFromPath setAttrByPath; inherit (lib) mkIf; @@ -13,13 +17,13 @@ in mode ? "0400", restartUnits ? [ "myunit.service" ], }: -lib.shb.runNixOSTest { +shb.test.runNixOSTest { name = "secret_${name}_${owner}_${group}_${mode}"; nodes.machine = { config, ... }: { - imports = [ lib.shb.baseImports ] ++ modules; + imports = [ shb.test.baseImports ] ++ modules; config = lib.mkMerge [ (setAttrByPath configRoot { A = { diff --git a/modules/contracts/ssl/dummyModule.nix b/modules/contracts/ssl/dummyModule.nix index d11651a..f242dd8 100644 --- a/modules/contracts/ssl/dummyModule.nix +++ b/modules/contracts/ssl/dummyModule.nix @@ -1,10 +1,11 @@ -{ pkgs, lib, ... }: -let - contracts = pkgs.callPackage ../. { }; -in +{ lib, shb, ... }: { + imports = [ + ../../../lib/module.nix + ]; + options.shb.contracts.ssl = lib.mkOption { description = "Contract for SSL Certificate generator."; - type = contracts.ssl.certs; + type = shb.contracts.ssl.certs; }; } diff --git a/modules/services/arr.nix b/modules/services/arr.nix index ee60c97..12a7175 100644 --- a/modules/services/arr.nix +++ b/modules/services/arr.nix @@ -2,17 +2,16 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.arr; - contracts = pkgs.callPackage ../contracts { }; - apps = { radarr = { - settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; }; + settingsFormat = shb.formatXML { enclosingRoot = "Config"; }; moreOptions = { settings = lib.mkOption { description = "Specific options for radarr."; @@ -21,7 +20,7 @@ let freeformType = apps.radarr.settingsFormat.type; options = { ApiKey = lib.mkOption { - type = lib.shb.secretFileType; + type = shb.secretFileType; description = "Path to api key secret file."; }; LogLevel = lib.mkOption { @@ -73,7 +72,7 @@ let }; }; sonarr = { - settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; }; + settingsFormat = shb.formatXML { enclosingRoot = "Config"; }; moreOptions = { settings = lib.mkOption { description = "Specific options for sonarr."; @@ -82,7 +81,7 @@ let freeformType = apps.sonarr.settingsFormat.type; options = { ApiKey = lib.mkOption { - type = lib.shb.secretFileType; + type = shb.secretFileType; description = "Path to api key secret file."; }; LogLevel = lib.mkOption { @@ -129,7 +128,7 @@ let }; }; bazarr = { - settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; }; + settingsFormat = shb.formatXML { enclosingRoot = "Config"; }; moreOptions = { settings = lib.mkOption { description = "Specific options for bazarr."; @@ -157,7 +156,7 @@ let }; }; readarr = { - settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; }; + settingsFormat = shb.formatXML { enclosingRoot = "Config"; }; moreOptions = { settings = lib.mkOption { description = "Specific options for readarr."; @@ -184,7 +183,7 @@ let }; }; lidarr = { - settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; }; + settingsFormat = shb.formatXML { enclosingRoot = "Config"; }; moreOptions = { settings = lib.mkOption { description = "Specific options for lidarr."; @@ -220,7 +219,7 @@ let freeformType = apps.jackett.settingsFormat.type; options = { ApiKey = lib.mkOption { - type = lib.shb.secretFileType; + type = shb.secretFileType; description = "Path to api key secret file."; }; FlareSolverrUrl = lib.mkOption { @@ -229,7 +228,7 @@ let default = null; }; OmdbApiKey = lib.mkOption { - type = lib.types.nullOr lib.shb.secretFileType; + type = lib.types.nullOr shb.secretFileType; description = "File containing the Open Movie Database API key."; default = null; }; @@ -341,7 +340,7 @@ let ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -358,7 +357,7 @@ let ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = name; sourceDirectories = [ cfg.${name}.dataDir @@ -379,6 +378,7 @@ let in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -398,7 +398,7 @@ in dataDir = "/var/lib/radarr"; }; - systemd.services.radarr.preStart = lib.shb.replaceSecrets { + systemd.services.radarr.preStart = shb.replaceSecrets { userConfig = cfg'.settings // (lib.optionalAttrs isSSOEnabled { @@ -406,7 +406,7 @@ in AuthenticationMethod = "External"; }); resultPath = "${config.services.radarr.dataDir}/config.xml"; - generator = lib.shb.replaceSecretsFormatAdapter apps.radarr.settingsFormat; + generator = shb.replaceSecretsFormatAdapter apps.radarr.settingsFormat; }; shb.nginx.vhosts = [ (vhosts { } cfg') ]; @@ -429,7 +429,7 @@ in extraGroups = [ "media" ]; }; - systemd.services.sonarr.preStart = lib.shb.replaceSecrets { + systemd.services.sonarr.preStart = shb.replaceSecrets { userConfig = cfg'.settings // (lib.optionalAttrs isSSOEnabled { @@ -457,7 +457,7 @@ in users.users.bazarr = { extraGroups = [ "media" ]; }; - systemd.services.bazarr.preStart = lib.shb.replaceSecrets { + systemd.services.bazarr.preStart = shb.replaceSecrets { userConfig = cfg'.settings // (lib.optionalAttrs isSSOEnabled { @@ -484,7 +484,7 @@ in users.users.readarr = { extraGroups = [ "media" ]; }; - systemd.services.readarr.preStart = lib.shb.replaceSecrets { + systemd.services.readarr.preStart = shb.replaceSecrets { userConfig = cfg'.settings; resultPath = "${config.services.readarr.dataDir}/config.xml"; generator = apps.readarr.settingsFormat.generate; @@ -507,7 +507,7 @@ in users.users.lidarr = { extraGroups = [ "media" ]; }; - systemd.services.lidarr.preStart = lib.shb.replaceSecrets { + systemd.services.lidarr.preStart = shb.replaceSecrets { userConfig = cfg'.settings // (lib.optionalAttrs isSSOEnabled { @@ -535,8 +535,8 @@ in users.users.jackett = { extraGroups = [ "media" ]; }; - systemd.services.jackett.preStart = lib.shb.replaceSecrets { - userConfig = lib.shb.renameAttrName cfg'.settings "ApiKey" "APIKey"; + systemd.services.jackett.preStart = shb.replaceSecrets { + userConfig = shb.renameAttrName cfg'.settings "ApiKey" "APIKey"; resultPath = "${config.services.jackett.dataDir}/ServerConfig.json"; generator = apps.jackett.settingsFormat.generate; }; diff --git a/modules/services/audiobookshelf.nix b/modules/services/audiobookshelf.nix index 9293317..bcea2af 100644 --- a/modules/services/audiobookshelf.nix +++ b/modules/services/audiobookshelf.nix @@ -1,15 +1,13 @@ { config, - pkgs, lib, + shb, ... }: let cfg = config.shb.audiobookshelf; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; roleClaim = "audiobookshelf_groups"; @@ -38,7 +36,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -103,7 +101,7 @@ in sharedSecret = lib.mkOption { description = "OIDC shared secret for Audiobookshelf."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "audiobookshelf"; group = "audiobookshelf"; @@ -115,7 +113,7 @@ in sharedSecretForAuthelia = lib.mkOption { description = "OIDC shared secret for Authelia."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; ownerText = "config.shb.authelia.autheliaUser"; owner = config.shb.authelia.autheliaUser; @@ -131,7 +129,7 @@ in Backup configuration. ''; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "audiobookshelf"; sourceDirectories = [ "/var/lib/audiobookshelf" diff --git a/modules/services/deluge.nix b/modules/services/deluge.nix index cabb57d..dd2f678 100644 --- a/modules/services/deluge.nix +++ b/modules/services/deluge.nix @@ -2,14 +2,13 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.deluge; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; authGenerator = @@ -29,6 +28,7 @@ let in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -49,7 +49,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -194,7 +194,7 @@ in lib.types.submodule { options = { password = lib.mkOption { - type = lib.shb.secretFileType; + type = shb.secretFileType; description = "File containing the user password."; }; }; @@ -205,7 +205,7 @@ in localclientPassword = lib.mkOption { description = "Password for mandatory localclient user."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "deluge"; restartUnits = [ "deluged.service" ]; }; @@ -216,7 +216,7 @@ in description = "Password for prometheus scraper. Setting this option will activate the prometheus deluge exporter."; type = lib.types.nullOr ( lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "deluge"; restartUnits = [ "deluged.service" @@ -273,7 +273,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "deluge"; sourceDirectories = [ cfg.dataDir @@ -361,7 +361,7 @@ in }; systemd.services.deluged.preStart = lib.mkBefore ( - lib.shb.replaceSecrets { + shb.replaceSecrets { userConfig = cfg.extraUsers // { diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 0612e21..9fb01b0 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -3,14 +3,13 @@ options, pkgs, lib, + shb, ... }: let cfg = config.shb.forgejo; - contracts = pkgs.callPackage ../contracts { }; - inherit (lib) all attrNames @@ -87,7 +86,7 @@ in ssl = mkOption { description = "Path to SSL files"; - type = nullOr contracts.ssl.certs; + type = nullOr shb.contracts.ssl.certs; default = null; }; @@ -137,7 +136,7 @@ in adminPassword = mkOption { description = "LDAP admin password."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "forgejo"; group = "forgejo"; @@ -210,7 +209,7 @@ in sharedSecret = mkOption { description = "OIDC shared secret for Forgejo."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "forgejo"; group = "forgejo"; @@ -222,7 +221,7 @@ in sharedSecretForAuthelia = mkOption { description = "OIDC shared secret for Authelia."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "authelia"; }; @@ -254,7 +253,7 @@ in password = mkOption { description = "Forgejo admin user password."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "forgejo"; group = "forgejo"; @@ -269,7 +268,7 @@ in databasePassword = mkOption { description = "File containing the Forgejo database password."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "forgejo"; group = "forgejo"; @@ -329,7 +328,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = options.services.forgejo.user.value; sourceDirectories = [ options.services.forgejo.dump.backupDir.value @@ -342,7 +341,7 @@ in }; mount = mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration. This is an output option. diff --git a/modules/services/grocy.nix b/modules/services/grocy.nix index 244e08d..3cc090f 100644 --- a/modules/services/grocy.nix +++ b/modules/services/grocy.nix @@ -1,15 +1,13 @@ { config, - pkgs, lib, + shb, ... }: let cfg = config.shb.grocy; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; in { @@ -68,7 +66,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -90,7 +88,7 @@ in ''; readOnly = true; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "grocy"; sourceDirectories = [ cfg.dataDir diff --git a/modules/services/hledger.nix b/modules/services/hledger.nix index 853fd9f..9fabf7a 100644 --- a/modules/services/hledger.nix +++ b/modules/services/hledger.nix @@ -1,15 +1,13 @@ { config, - pkgs, lib, + shb, ... }: let cfg = config.shb.hledger; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; in { @@ -40,7 +38,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -70,7 +68,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "hledger"; sourceDirectories = [ cfg.dataDir diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix index d7a7301..abfaa7f 100644 --- a/modules/services/home-assistant.nix +++ b/modules/services/home-assistant.nix @@ -2,14 +2,13 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.home-assistant; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; ldap_auth_script_repo = pkgs.fetchFromGitHub { @@ -32,6 +31,10 @@ let configWithSecretsIncludes = nonSecrets // (lib.attrsets.mapAttrs (k: v: "!secret ${k}") secrets); in { + imports = [ + ../../lib/module.nix + ]; + options.shb.home-assistant = { enable = lib.mkEnableOption "selfhostblocks.home-assistant"; @@ -49,7 +52,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -61,35 +64,35 @@ in name = lib.mkOption { type = lib.types.oneOf [ lib.types.str - lib.shb.secretFileType + shb.secretFileType ]; description = "Name of the Home Assistant instance."; }; country = lib.mkOption { type = lib.types.oneOf [ lib.types.str - lib.shb.secretFileType + shb.secretFileType ]; description = "Two letter country code where this instance is located."; }; latitude = lib.mkOption { type = lib.types.oneOf [ lib.types.str - lib.shb.secretFileType + shb.secretFileType ]; description = "Latitude where this instance is located."; }; longitude = lib.mkOption { type = lib.types.oneOf [ lib.types.str - lib.shb.secretFileType + shb.secretFileType ]; description = "Longitude where this instance is located."; }; time_zone = lib.mkOption { type = lib.types.oneOf [ lib.types.str - lib.shb.secretFileType + shb.secretFileType ]; description = "Timezone of this instance."; example = "America/Los_Angeles"; @@ -206,7 +209,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "hass"; # No need for backup hooks as we use an hourly automation job in home assistant directly with a cron job. sourceDirectories = [ @@ -383,10 +386,10 @@ in fi '' ) - + (lib.shb.replaceSecrets { + + (shb.replaceSecrets { userConfig = cfg.config; resultPath = "${config.services.home-assistant.configDir}/secrets.yaml"; - generator = lib.shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { }); + generator = shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { }); }); systemd.tmpfiles.rules = [ diff --git a/modules/services/immich.nix b/modules/services/immich.nix index 62e7abb..f82ef09 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -2,14 +2,13 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.immich; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; protocol = if !(isNull cfg.ssl) then "https" else "http"; @@ -76,10 +75,10 @@ let # Use SHB's replaceSecrets function for loading secrets at runtime configSetupScript = lib.optionalString (cfg.sso.enable || cfg.smtp != null) ( - lib.shb.replaceSecrets { + shb.replaceSecrets { userConfig = shbManagedSettings; resultPath = configFile; - generator = lib.shb.replaceSecretsFormatAdapter (pkgs.formats.json { }); + generator = shb.replaceSecretsFormatAdapter (pkgs.formats.json { }); user = "immich"; permissions = "u=r,g=,o="; } @@ -106,6 +105,7 @@ let in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -146,7 +146,7 @@ in ssl = mkOption { description = "Path to SSL files"; - type = nullOr contracts.ssl.certs; + type = nullOr shb.contracts.ssl.certs; default = null; }; @@ -162,7 +162,7 @@ in This is required for secure session management. ''; type = nullOr (submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "immich"; restartUnits = [ "immich-server.service" ]; @@ -172,7 +172,7 @@ in }; mount = mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration. This is an output option. @@ -197,7 +197,7 @@ in ''; default = { }; type = submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "immich"; sourceDirectories = [ dataFolder @@ -328,7 +328,7 @@ in sharedSecret = mkOption { description = "OIDC shared secret for Immich."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "immich"; group = "immich"; @@ -340,7 +340,7 @@ in sharedSecretForAuthelia = mkOption { description = "OIDC shared secret for Authelia. Content must be the same as `sharedSecret` option."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "authelia"; }; @@ -420,7 +420,7 @@ in password = mkOption { description = "File containing the password to connect to the SMTP host."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "immich"; restartUnits = [ "immich-server.service" ]; diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix index fcdfe3d..83114b2 100644 --- a/modules/services/jellyfin.nix +++ b/modules/services/jellyfin.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + shb, ... }: @@ -10,8 +11,6 @@ let cfg = config.shb.jellyfin; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; jellyfin-cli = pkgs.buildDotnetModule rec { @@ -83,7 +82,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = types.nullOr contracts.ssl.certs; + type = types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -107,7 +106,7 @@ in password = lib.mkOption { description = "Password of the default admin user."; type = types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "jellyfin"; group = "jellyfin"; @@ -160,7 +159,7 @@ in adminPassword = lib.mkOption { description = "LDAP admin password."; type = types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "jellyfin"; group = "jellyfin"; @@ -221,7 +220,7 @@ in sharedSecret = lib.mkOption { description = "OIDC shared secret for Jellyfin."; type = types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "jellyfin"; group = "jellyfin"; @@ -233,7 +232,7 @@ in sharedSecretForAuthelia = lib.mkOption { description = "OIDC shared secret for Authelia."; type = types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; ownerText = "config.shb.authelia.autheliaUser"; owner = config.shb.authelia.autheliaUser; @@ -250,7 +249,7 @@ in ''; default = { }; type = types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "jellyfin"; sourceDirectories = [ config.services.jellyfin.dataDir @@ -265,6 +264,8 @@ in }; imports = [ + ../../lib/module.nix + (lib.mkRenamedOptionModule [ "shb" "jellyfin" "adminPassword" ] [ "shb" "jellyfin" "admin" "password" ] @@ -586,7 +587,7 @@ in fi ln -fs "${debugLogging}" "${config.services.jellyfin.configDir}/logging.json" '' - + (lib.shb.replaceSecretsScript { + + (shb.replaceSecretsScript { file = networkConfig; # Write permissions are needed otherwise the jellyfin-cli tool will not work correctly. permissions = "u=rw,g=rw,o="; @@ -595,7 +596,7 @@ in ]; }) + lib.strings.optionalString cfg.ldap.enable ( - lib.shb.replaceSecretsScript { + shb.replaceSecretsScript { file = ldapConfig; resultPath = "${config.services.jellyfin.dataDir}/plugins/configurations/LDAP-Auth.xml"; replacements = [ @@ -607,7 +608,7 @@ in } ) + lib.strings.optionalString cfg.sso.enable ( - lib.shb.replaceSecretsScript { + shb.replaceSecretsScript { file = ssoConfig; resultPath = "${config.services.jellyfin.dataDir}/plugins/configurations/SSO-Auth.xml"; replacements = [ @@ -619,7 +620,7 @@ in } ) + lib.strings.optionalString cfg.sso.enable ( - lib.shb.replaceSecretsScript { + shb.replaceSecretsScript { file = brandingConfig; resultPath = "${config.services.jellyfin.dataDir}/config/branding.xml"; replacements = [ diff --git a/modules/services/karakeep.nix b/modules/services/karakeep.nix index 6454c61..20107b3 100644 --- a/modules/services/karakeep.nix +++ b/modules/services/karakeep.nix @@ -1,16 +1,15 @@ { config, lib, - pkgs, + shb, ... }: let cfg = config.shb.karakeep; - - contracts = pkgs.callPackage ../contracts { }; in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -31,7 +30,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -106,7 +105,7 @@ in sharedSecret = lib.mkOption { description = "OIDC shared secret for Karakeep."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "karakeep"; # These services are the ones relying on the environment file containing the secrets. restartUnits = [ @@ -121,7 +120,7 @@ in sharedSecretForAuthelia = lib.mkOption { description = "OIDC shared secret for Authelia. Must be the same as `sharedSecret`"; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; ownerText = "config.shb.authelia.autheliaUser"; owner = config.shb.authelia.autheliaUser; @@ -138,7 +137,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "karakeep"; sourceDirectories = [ "/var/lib/karakeep" @@ -150,7 +149,7 @@ in nextauthSecret = lib.mkOption { description = "NextAuth secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "karakeep"; # These services are the ones relying on the environment file containing the secrets. restartUnits = [ @@ -165,7 +164,7 @@ in meilisearchMasterKey = lib.mkOption { description = "Master key used to secure communication with Meilisearch."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "karakeep"; # These services are the ones relying on the environment file containing the secrets. restartUnits = [ @@ -204,7 +203,7 @@ in # instead of using the value from the cfg.meilisearchMasterKey option. systemd.services.karakeep-init = { script = lib.mkForce ( - (lib.shb.replaceSecrets { + (shb.replaceSecrets { userConfig = { MEILI_MASTER_KEY.source = cfg.meilisearchMasterKey.result.path; NEXTAUTH_SECRET.source = cfg.nextauthSecret.result.path; @@ -213,7 +212,7 @@ in OAUTH_CLIENT_SECRET.source = cfg.sso.sharedSecret.result.path; }; resultPath = "/var/lib/karakeep/settings.env"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; }) + '' export DATA_DIR="$STATE_DIRECTORY" diff --git a/modules/services/nextcloud-server.nix b/modules/services/nextcloud-server.nix index dffb5ff..87e61d9 100644 --- a/modules/services/nextcloud-server.nix +++ b/modules/services/nextcloud-server.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + shb, ... }: @@ -18,8 +19,6 @@ let else "${cfg.apps.sso.endpoint}:${toString cfg.apps.sso.port}"; - contracts = pkgs.callPackage ../contracts { }; - nextcloudPkg = builtins.getAttr ("nextcloud" + builtins.toString cfg.version) pkgs; nextcloudApps = (builtins.getAttr ("nextcloud" + builtins.toString cfg.version + "Packages") pkgs).apps; @@ -27,6 +26,10 @@ let occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; in { + imports = [ + ../../lib/module.nix + ]; + options.shb.nextcloud = { enable = lib.mkEnableOption "selfhostblocks.nextcloud-server"; @@ -68,7 +71,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -110,7 +113,7 @@ in adminPass = lib.mkOption { description = "Nextcloud admin password."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "nextcloud"; restartUnits = [ "phpfpm-nextcloud.service" ]; @@ -251,7 +254,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -424,7 +427,7 @@ in adminPassword = lib.mkOption { description = "LDAP server admin password."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "nextcloud"; restartUnits = [ "phpfpm-nextcloud.service" ]; @@ -505,7 +508,7 @@ in secret = lib.mkOption { description = "OIDC shared secret."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "nextcloud"; restartUnits = [ "phpfpm-nextcloud.service" ]; @@ -516,7 +519,7 @@ in secretForAuthelia = lib.mkOption { description = "OIDC shared secret. Content must be the same as `secretFile` option."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "authelia"; }; @@ -625,7 +628,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "nextcloud"; sourceDirectories = [ cfg.dataDir diff --git a/modules/services/open-webui.nix b/modules/services/open-webui.nix index 7dc743e..99a17e1 100644 --- a/modules/services/open-webui.nix +++ b/modules/services/open-webui.nix @@ -2,13 +2,12 @@ config, lib, pkgs, + shb, ... }: let cfg = config.shb.open-webui; - contracts = pkgs.callPackage ../contracts { }; - roleClaim = "openwebui_groups"; oauthScopes = [ "openid" @@ -20,6 +19,7 @@ let in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -40,7 +40,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -124,7 +124,7 @@ in sharedSecret = lib.mkOption { description = "OIDC shared secret for Open-WebUI."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { owner = "open-webui"; restartUnits = [ "open-webui.service" ]; }; @@ -134,7 +134,7 @@ in sharedSecretForAuthelia = lib.mkOption { description = "OIDC shared secret for Authelia. Must be the same as `sharedSecret`"; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; ownerText = "config.shb.authelia.autheliaUser"; owner = config.shb.authelia.autheliaUser; @@ -151,7 +151,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "open-webui"; sourceDirectories = [ config.services.open-webui.stateDir @@ -270,12 +270,12 @@ in "d '/run/open-webui' 0750 root root - -" ]; systemd.services.open-webui-pre = { - script = lib.shb.replaceSecrets { + script = shb.replaceSecrets { userConfig = { OAUTH_CLIENT_SECRET.source = cfg.sso.sharedSecret.result.path; }; resultPath = "/run/open-webui/secrets.env"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; }; serviceConfig.Type = "oneshot"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix index bc2d807..8ab3d86 100644 --- a/modules/services/paperless.nix +++ b/modules/services/paperless.nix @@ -2,12 +2,12 @@ config, pkgs, lib, + shb, ... }: let cfg = config.shb.paperless; - contracts = pkgs.callPackage ../contracts { }; dataFolder = cfg.dataDir; fqdn = "${cfg.subdomain}.${cfg.domain}"; protocol = if !(isNull cfg.ssl) then "https" else "http"; @@ -48,7 +48,7 @@ let source = cfg.sso.sharedSecret.result.path; } ]; - replaceSecretsScript = lib.shb.replaceSecretsScript { + replaceSecretsScript = shb.replaceSecretsScript { file = ssoClientSettingsFile; resultPath = "/run/paperless/paperless-sso-client.env"; inherit replacements; @@ -77,6 +77,7 @@ let in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -117,7 +118,7 @@ in ssl = mkOption { description = "Path to SSL files"; - type = nullOr contracts.ssl.certs; + type = nullOr shb.contracts.ssl.certs; default = null; }; @@ -152,7 +153,7 @@ in adminPassword = mkOption { description = "Secret containing the superuser (admin) password."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "paperless"; group = "paperless"; @@ -208,7 +209,7 @@ in }; mount = mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration. This is an output option. @@ -233,7 +234,7 @@ in ''; default = { }; type = submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "paperless"; sourceDirectories = [ dataFolder @@ -314,7 +315,7 @@ in sharedSecret = mkOption { description = "OIDC shared secret for paperless."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "paperless"; group = "paperless"; @@ -326,7 +327,7 @@ in sharedSecretForAuthelia = mkOption { description = "OIDC shared secret for Authelia. Content must be the same as `sharedSecret` option."; type = submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "authelia"; }; diff --git a/modules/services/pinchflat.nix b/modules/services/pinchflat.nix index 469ee66..98f5a82 100644 --- a/modules/services/pinchflat.nix +++ b/modules/services/pinchflat.nix @@ -2,17 +2,17 @@ config, lib, pkgs, + shb, ... }: let cfg = config.shb.pinchflat; inherit (lib) types; - - contracts = pkgs.callPackage ../contracts { }; in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -33,7 +33,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -50,7 +50,7 @@ in Make sure the secret is at least 64 characters long. ''; type = types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { restartUnits = [ "pinchflat.service" ]; }; }; @@ -64,7 +64,7 @@ in timeZone = lib.mkOption { type = lib.types.oneOf [ lib.types.str - lib.shb.secretFileType + shb.secretFileType ]; description = "Timezone of this instance."; example = "America/Los_Angeles"; @@ -123,7 +123,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "pinchflat"; sourceDirectories = [ cfg.mediaDir @@ -158,13 +158,13 @@ in }; systemd.services.pinchflat-pre = { - script = lib.shb.replaceSecrets { + script = shb.replaceSecrets { userConfig = { SECRET_KEY_BASE.source = cfg.secretKeyBase.result.path; # TZ = cfg.secretKeyBase.result.path; # Uncomment when PR is merged. }; resultPath = "/run/pinchflat/secrets.env"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; }; serviceConfig.Type = "oneshot"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index b985387..8e09a29 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -1,15 +1,13 @@ { config, - pkgs, lib, + shb, ... }: let cfg = config.shb.vaultwarden; - contracts = pkgs.callPackage ../contracts { }; - fqdn = "${cfg.subdomain}.${cfg.domain}"; dataFolder = @@ -20,6 +18,7 @@ let in { imports = [ + ../../lib/module.nix ../blocks/nginx.nix ]; @@ -40,7 +39,7 @@ in ssl = lib.mkOption { description = "Path to SSL files"; - type = lib.types.nullOr contracts.ssl.certs; + type = lib.types.nullOr shb.contracts.ssl.certs; default = null; }; @@ -60,7 +59,7 @@ in databasePassword = lib.mkOption { description = "File containing the Vaultwarden database password."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0440"; owner = "vaultwarden"; group = "postgres"; @@ -118,7 +117,7 @@ in password = lib.mkOption { description = "File containing the password to connect to the SMTP host."; type = lib.types.submodule { - options = contracts.secret.mkRequester { + options = shb.contracts.secret.mkRequester { mode = "0400"; owner = "vaultwarden"; restartUnits = [ "vaultwarden.service" ]; @@ -131,7 +130,7 @@ in }; mount = lib.mkOption { - type = contracts.mount; + type = shb.contracts.mount; description = '' Mount configuration. This is an output option. @@ -156,7 +155,7 @@ in ''; default = { }; type = lib.types.submodule { - options = contracts.backup.mkRequester { + options = shb.contracts.backup.mkRequester { user = "vaultwarden"; sourceDirectories = [ dataFolder @@ -210,7 +209,7 @@ in ]; # Needed to be able to write template config. systemd.services.vaultwarden.serviceConfig.ProtectHome = lib.mkForce false; - systemd.services.vaultwarden.preStart = lib.shb.replaceSecrets { + systemd.services.vaultwarden.preStart = shb.replaceSecrets { userConfig = { DATABASE_URL.source = cfg.databasePassword.result.path; DATABASE_URL.transform = v: "postgresql://vaultwarden:${v}@127.0.0.1:5432/vaultwarden"; @@ -219,7 +218,7 @@ in SMTP_PASSWORD.source = cfg.smtp.password.result.path; }; resultPath = "${dataFolder}/vaultwarden.env"; - generator = lib.shb.toEnvVar; + generator = shb.toEnvVar; }; shb.nginx.vhosts = [ diff --git a/test/blocks/authelia.nix b/test/blocks/authelia.nix index 181d6ea..9339c50 100644 --- a/test/blocks/authelia.nix +++ b/test/blocks/authelia.nix @@ -1,11 +1,11 @@ -{ pkgs, lib, ... }: +{ pkgs, shb, ... }: let pkgs' = pkgs; ldapAdminPassword = "ldapAdminPassword"; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "authelia-basic"; nodes.machine = diff --git a/test/blocks/borgbackup.nix b/test/blocks/borgbackup.nix index 66cd3c2..bcdb6a3 100644 --- a/test/blocks/borgbackup.nix +++ b/test/blocks/borgbackup.nix @@ -1,15 +1,15 @@ -{ lib, ... }: +{ shb, ... }: let commonTest = user: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "borgbackup_backupAndRestore_${user}"; nodes.machine = { config, ... }: { imports = [ - lib.shb.baseImports + shb.test.baseImports ../../modules/blocks/hardcodedsecret.nix ../../modules/blocks/borgbackup.nix diff --git a/test/blocks/lib.nix b/test/blocks/lib.nix index 7b6ab61..c839f86 100644 --- a/test/blocks/lib.nix +++ b/test/blocks/lib.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + shb, + ... +}: let pkgs' = pkgs; in @@ -22,39 +27,39 @@ in d.d = "not secret D"; }; - configWithTemplates = lib.shb.withReplacements userConfig; + configWithTemplates = shb.withReplacements userConfig; nonSecretConfigFile = pkgs.writeText "config.yaml.template" ( lib.generators.toJSON { } configWithTemplates ); - replacements = lib.shb.getReplacements userConfig; + replacements = shb.getReplacements userConfig; - replaceInTemplate = lib.shb.replaceSecretsScript { + replaceInTemplate = shb.replaceSecretsScript { file = nonSecretConfigFile; resultPath = "/var/lib/config.yaml"; inherit replacements; }; - replaceInTemplateJSON = lib.shb.replaceSecrets { + replaceInTemplateJSON = shb.replaceSecrets { inherit userConfig; resultPath = "/var/lib/config.json"; - generator = lib.shb.replaceSecretsFormatAdapter (pkgs.formats.json { }); + generator = shb.replaceSecretsFormatAdapter (pkgs.formats.json { }); }; - replaceInTemplateJSONGen = lib.shb.replaceSecrets { + replaceInTemplateJSONGen = shb.replaceSecrets { inherit userConfig; resultPath = "/var/lib/config_gen.json"; - generator = lib.shb.replaceSecretsGeneratorAdapter (lib.generators.toJSON { }); + generator = shb.replaceSecretsGeneratorAdapter (lib.generators.toJSON { }); }; - replaceInTemplateXML = lib.shb.replaceSecrets { + replaceInTemplateXML = shb.replaceSecrets { inherit userConfig; resultPath = "/var/lib/config.xml"; - generator = lib.shb.replaceSecretsFormatAdapter (lib.shb.formatXML { enclosingRoot = "Root"; }); + generator = shb.replaceSecretsFormatAdapter (shb.formatXML { enclosingRoot = "Root"; }); }; in - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "lib-template"; nodes.machine = { config, pkgs, ... }: diff --git a/test/blocks/lldap.nix b/test/blocks/lldap.nix index 6cc1ab1..a99366a 100644 --- a/test/blocks/lldap.nix +++ b/test/blocks/lldap.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + shb, + ... +}: let pkgs' = pkgs; @@ -6,7 +11,7 @@ let charliePassword = "CharliePassword"; in { - auth = lib.shb.runNixOSTest { + auth = shb.test.runNixOSTest { name = "ldap-auth"; nodes.server = diff --git a/test/blocks/mitmdump.nix b/test/blocks/mitmdump.nix index d1ff0cb..d0cd01a 100644 --- a/test/blocks/mitmdump.nix +++ b/test/blocks/mitmdump.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + shb, + ... +}: let serve = port: text: @@ -45,7 +50,7 @@ let ); in { - default = lib.shb.runNixOSTest { + default = shb.test.runNixOSTest { name = "mitmdump-default"; nodes.machine = diff --git a/test/blocks/monitoring.nix b/test/blocks/monitoring.nix index a9912fd..16025e5 100644 --- a/test/blocks/monitoring.nix +++ b/test/blocks/monitoring.nix @@ -1,9 +1,9 @@ -{ lib, ... }: +{ lib, shb, ... }: let password = "securepw"; oidcSecret = "oidcSecret"; - commonTestScript = lib.shb.accessScript { + commonTestScript = shb.test.accessScript { hasSSL = { node, ... }: !(isNull node.config.shb.monitoring.ssl); waitForServices = { ... }: @@ -21,7 +21,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/monitoring.nix ]; @@ -71,8 +71,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { subdomain = "g"; @@ -161,7 +161,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "monitoring_basic"; nodes.server = { @@ -175,13 +175,13 @@ in testScript = commonTestScript; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "monitoring_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -191,7 +191,7 @@ in testScript = commonTestScript; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "monitoring_sso"; nodes.client = { @@ -206,11 +206,11 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap + shb.test.ldap ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; diff --git a/test/blocks/postgresql.nix b/test/blocks/postgresql.nix index eab060d..6336b2a 100644 --- a/test/blocks/postgresql.nix +++ b/test/blocks/postgresql.nix @@ -1,9 +1,14 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + shb, + ... +}: let pkgs' = pkgs; in { - peerWithoutUser = lib.shb.runNixOSTest { + peerWithoutUser = shb.test.runNixOSTest { name = "postgresql-peerWithoutUser"; nodes.machine = @@ -44,7 +49,7 @@ in ''; }; - peerAuth = lib.shb.runNixOSTest { + peerAuth = shb.test.runNixOSTest { name = "postgresql-peerAuth"; nodes.machine = @@ -98,7 +103,7 @@ in ''; }; - tcpIPWithoutPasswordAuth = lib.shb.runNixOSTest { + tcpIPWithoutPasswordAuth = shb.test.runNixOSTest { name = "postgresql-tcpIpWithoutPasswordAuth"; nodes.machine = @@ -140,7 +145,7 @@ in ''; }; - tcpIPPasswordAuth = lib.shb.runNixOSTest { + tcpIPPasswordAuth = shb.test.runNixOSTest { name = "postgresql-tcpIPPasswordAuth"; nodes.machine = diff --git a/test/blocks/restic.nix b/test/blocks/restic.nix index 2b5ded0..d7826b1 100644 --- a/test/blocks/restic.nix +++ b/test/blocks/restic.nix @@ -1,15 +1,15 @@ -{ lib, ... }: +{ lib, shb, ... }: let commonTest = user: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "restic_backupAndRestore_${user}"; nodes.machine = { config, ... }: { imports = [ - lib.shb.baseImports + shb.test.baseImports ../../modules/blocks/hardcodedsecret.nix ../../modules/blocks/restic.nix diff --git a/test/blocks/ssl.nix b/test/blocks/ssl.nix index 8d4c9cf..6eba96e 100644 --- a/test/blocks/ssl.nix +++ b/test/blocks/ssl.nix @@ -1,9 +1,9 @@ -{ pkgs, lib, ... }: +{ pkgs, shb, ... }: let pkgs' = pkgs; in { - test = lib.shb.runNixOSTest { + test = shb.test.runNixOSTest { name = "ssl-test"; nodes.server = diff --git a/test/contracts/backup.nix b/test/contracts/backup.nix index c70abc3..2cd2404 100644 --- a/test/contracts/backup.nix +++ b/test/contracts/backup.nix @@ -1,9 +1,6 @@ -{ pkgs, ... }: -let - contracts = pkgs.callPackage ../../modules/contracts { }; -in +{ shb, ... }: { - restic_root = contracts.test.backup { + restic_root = shb.contracts.test.backup { name = "restic_root"; username = "root"; providerRoot = [ @@ -38,7 +35,7 @@ in }; }; - restic_nonroot = contracts.test.backup { + restic_nonroot = shb.contracts.test.backup { name = "restic_nonroot"; username = "me"; providerRoot = [ @@ -73,7 +70,7 @@ in }; }; - borgbackup_root = contracts.test.backup { + borgbackup_root = shb.contracts.test.backup { name = "borgbackup_root"; username = "root"; providerRoot = [ @@ -108,7 +105,7 @@ in }; }; - borgbackup_nonroot = contracts.test.backup { + borgbackup_nonroot = shb.contracts.test.backup { name = "borgbackup_nonroot"; username = "me"; providerRoot = [ diff --git a/test/contracts/databasebackup.nix b/test/contracts/databasebackup.nix index 78b12c9..f3d0f75 100644 --- a/test/contracts/databasebackup.nix +++ b/test/contracts/databasebackup.nix @@ -1,9 +1,6 @@ -{ pkgs, ... }: -let - contracts = pkgs.callPackage ../../modules/contracts { }; -in +{ shb, ... }: { - restic_postgres = contracts.test.databasebackup { + restic_postgres = shb.contracts.test.databasebackup { name = "restic_postgres"; requesterRoot = [ "shb" @@ -49,7 +46,7 @@ in }; }; - borgbackup_postgres = contracts.test.databasebackup { + borgbackup_postgres = shb.contracts.test.databasebackup { name = "borgbackup_postgres"; requesterRoot = [ "shb" diff --git a/test/contracts/secret.nix b/test/contracts/secret.nix index d482edd..90ac16f 100644 --- a/test/contracts/secret.nix +++ b/test/contracts/secret.nix @@ -1,9 +1,6 @@ -{ pkgs, ... }: -let - contracts = pkgs.callPackage ../../modules/contracts { }; -in +{ shb, ... }: { - hardcoded_root_root = contracts.test.secret { + hardcoded_root_root = shb.contracts.test.secret { name = "hardcoded"; modules = [ ../../modules/blocks/hardcodedsecret.nix ]; configRoot = [ @@ -15,7 +12,7 @@ in }; }; - hardcoded_user_group = contracts.test.secret { + hardcoded_user_group = shb.contracts.test.secret { name = "hardcoded"; modules = [ ../../modules/blocks/hardcodedsecret.nix ]; configRoot = [ @@ -31,7 +28,7 @@ in }; # TODO: how to do this? - # sops = contracts.test.secret { + # sops = shb.contracts.test.secret { # name = "sops"; # configRoot = cfg: name: cfg.sops.secrets.${name}; # createContent = content: { diff --git a/test/modules/lib.nix b/test/modules/lib.nix index 0627819..589c23e 100644 --- a/test/modules/lib.nix +++ b/test/modules/lib.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, shb, ... }: let inherit (lib) nameValuePair; in @@ -34,7 +34,7 @@ in c.other = "other"; }; in - lib.shb.withReplacements ( + shb.withReplacements ( item // { nestedAttr = item; @@ -70,7 +70,7 @@ in c.other = "other"; }; in - lib.shb.withReplacements [ + shb.withReplacements [ item item [ item ] @@ -101,8 +101,8 @@ in c.other = "other"; }; in - map lib.shb.genReplacement ( - lib.shb.getReplacements ( + map shb.genReplacement ( + shb.getReplacements ( item // { nestedAttr = item; @@ -123,7 +123,7 @@ in }; }; - expr = lib.shb.parseXML '' + expr = shb.parseXML '' 1 1 diff --git a/test/services/arr.nix b/test/services/arr.nix index acd4889..1701862 100644 --- a/test/services/arr.nix +++ b/test/services/arr.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + shb, + ... +}: let healthUrl = "/health"; loginUrl = "/UI/Login"; @@ -6,7 +11,7 @@ let # TODO: Test login commonTestScript = appname: cfgPathFn: - lib.shb.mkScripts { + shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.arr.${appname}.ssl); waitForServices = { ... }: @@ -60,7 +65,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/arr.nix ]; @@ -81,8 +86,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { @@ -106,7 +111,7 @@ let basicTest = appname: cfgPathFn: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "arr_${appname}_basic"; nodes.client = { @@ -125,7 +130,7 @@ let backupTest = appname: cfgPathFn: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "arr_${appname}_backup"; nodes.server = @@ -133,7 +138,7 @@ let { imports = [ (basic appname) - (lib.shb.backup config.shb.arr.${appname}.backup) + (shb.test.backup config.shb.arr.${appname}.backup) ]; }; @@ -153,7 +158,7 @@ let httpsTest = appname: cfgPathFn: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "arr_${appname}_https"; nodes.server = @@ -161,7 +166,7 @@ let { imports = [ (basic appname) - lib.shb.certs + shb.test.certs (https appname) ]; }; @@ -182,7 +187,7 @@ let ssoTest = appname: cfgPathFn: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "arr_${appname}_sso"; nodes.server = @@ -190,10 +195,10 @@ let { imports = [ (basic appname) - lib.shb.certs + shb.test.certs (https appname) - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) (sso appname) ]; }; diff --git a/test/services/audiobookshelf.nix b/test/services/audiobookshelf.nix index 0edb4ec..6546fe4 100644 --- a/test/services/audiobookshelf.nix +++ b/test/services/audiobookshelf.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ shb, ... }: let - commonTestScript = lib.shb.accessScript { + commonTestScript = shb.test.accessScript { hasSSL = { node, ... }: !(isNull node.config.shb.audiobookshelf.ssl); waitForServices = { ... }: @@ -22,7 +22,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/audiobookshelf.nix ]; @@ -39,8 +39,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -104,7 +104,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "audiobookshelf-basic"; nodes.client = { @@ -122,13 +122,13 @@ in testScript = commonTestScript; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "audiobookshelf-https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -138,7 +138,7 @@ in testScript = commonTestScript; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "audiobookshelf-sso"; nodes.server = @@ -146,10 +146,10 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; diff --git a/test/services/deluge.nix b/test/services/deluge.nix index 19969b2..c42d9d2 100644 --- a/test/services/deluge.nix +++ b/test/services/deluge.nix @@ -1,6 +1,11 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + shb, + ... +}: let - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.deluge.ssl); waitForServices = { ... }: @@ -76,7 +81,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/deluge.nix ]; @@ -109,8 +114,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { subdomain = "d"; @@ -167,7 +172,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "deluge_basic"; nodes.client = { @@ -184,7 +189,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "deluge_backup"; nodes.server = @@ -192,7 +197,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.deluge.backup) + (shb.test.backup config.shb.deluge.backup) ]; }; @@ -201,13 +206,13 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "deluge_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -217,7 +222,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "deluge_sso"; nodes.server = @@ -225,10 +230,10 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; @@ -240,13 +245,13 @@ in }; }; - prometheus = lib.shb.runNixOSTest { + prometheus = shb.test.runNixOSTest { name = "deluge_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https prometheus ]; diff --git a/test/services/forgejo.nix b/test/services/forgejo.nix index cbfa676..bf68b17 100644 --- a/test/services/forgejo.nix +++ b/test/services/forgejo.nix @@ -1,8 +1,8 @@ -{ lib, ... }: +{ shb, ... }: let adminPassword = "AdminPassword"; - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.forgejo.ssl); waitForServices = { ... }: @@ -27,7 +27,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/forgejo.nix ]; @@ -79,8 +79,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { subdomain = "f"; @@ -182,7 +182,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "forgejo_basic"; nodes.client = { @@ -199,7 +199,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "forgejo_backup"; nodes.server = @@ -207,7 +207,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.forgejo.backup) + (shb.test.backup config.shb.forgejo.backup) ]; }; @@ -216,13 +216,13 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "forgejo_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -232,13 +232,13 @@ in testScript = commonTestScript.access; }; - ldap = lib.shb.runNixOSTest { + ldap = shb.test.runNixOSTest { name = "forgejo_ldap"; nodes.server = { imports = [ basic - lib.shb.ldap + shb.test.ldap ldap ]; }; @@ -249,8 +249,8 @@ in { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { @@ -319,7 +319,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "forgejo_sso"; nodes.server = @@ -327,10 +327,10 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; diff --git a/test/services/grocy.nix b/test/services/grocy.nix index f3e417b..88a55dc 100644 --- a/test/services/grocy.nix +++ b/test/services/grocy.nix @@ -1,6 +1,6 @@ -{ pkgs, lib, ... }: +{ shb, ... }: let - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.grocy.ssl); waitForServices = { ... }: @@ -19,7 +19,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/grocy.nix ]; @@ -37,8 +37,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -81,7 +81,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "grocy_basic"; nodes.client = { @@ -98,13 +98,13 @@ in testScript = commonTestScript.access; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "grocy_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; diff --git a/test/services/hledger.nix b/test/services/hledger.nix index 5dc5639..d57bc93 100644 --- a/test/services/hledger.nix +++ b/test/services/hledger.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ shb, ... }: let - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.hledger.ssl); waitForServices = { ... }: @@ -14,7 +14,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/hledger.nix ]; @@ -32,8 +32,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { @@ -69,7 +69,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "hledger_basic"; nodes.client = { @@ -87,7 +87,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "hledger_backup"; nodes.server = @@ -95,7 +95,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.hledger.backup) + (shb.test.backup config.shb.hledger.backup) ]; }; @@ -104,13 +104,13 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "hledger_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -120,7 +120,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "hledger_sso"; nodes.server = @@ -128,10 +128,10 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; diff --git a/test/services/home-assistant.nix b/test/services/home-assistant.nix index 030ff8a..f80f7fc 100644 --- a/test/services/home-assistant.nix +++ b/test/services/home-assistant.nix @@ -1,6 +1,6 @@ -{ pkgs, lib, ... }: +{ pkgs, shb, ... }: let - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.home-assistant.ssl); waitForServices = { ... }: @@ -19,7 +19,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/home-assistant.nix ]; @@ -46,8 +46,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -165,7 +165,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "homeassistant_basic"; nodes.client = { @@ -182,7 +182,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "homeassistant_backup"; nodes.server = @@ -190,7 +190,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.home-assistant.backup) + (shb.test.backup config.shb.home-assistant.backup) ]; }; @@ -199,13 +199,13 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "homeassistant_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -215,13 +215,13 @@ in testScript = commonTestScript.access; }; - ldap = lib.shb.runNixOSTest { + ldap = shb.test.runNixOSTest { name = "homeassistant_ldap"; nodes.server = { imports = [ basic - lib.shb.ldap + shb.test.ldap ldap ]; }; @@ -233,16 +233,16 @@ in # Not yet supported # - # sso = lib.shb.runNixOSTest { + # sso = shb.test.runNixOSTest { # name = "vaultwarden_sso"; # # nodes.server = lib.mkMerge [ # basic - # (lib.shb.certs domain) + # (shb.certs domain) # https # ldap - # (lib.shb.ldap domain pkgs') - # (lib.shb.sso domain pkgs' config.shb.certs.certs.selfsigned.n) + # (shb.ldap domain pkgs') + # (shb.test.sso domain pkgs' config.shb.certs.certs.selfsigned.n) # sso # ]; # @@ -251,7 +251,7 @@ in # testScript = commonTestScript.access; # }; - voice = lib.shb.runNixOSTest { + voice = shb.test.runNixOSTest { name = "homeassistant_voice"; nodes.server = { diff --git a/test/services/immich.nix b/test/services/immich.nix index 15df185..5ca967e 100644 --- a/test/services/immich.nix +++ b/test/services/immich.nix @@ -1,9 +1,13 @@ -{ pkgs, lib }: +{ + pkgs, + lib, + shb, +}: let subdomain = "i"; domain = "example.com"; - commonTestScript = lib.shb.accessScript { + commonTestScript = shb.test.accessScript { hasSSL = { node, ... }: !(isNull node.config.shb.immich.ssl); waitForServices = { ... }: @@ -25,7 +29,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/immich.nix ]; @@ -60,7 +64,7 @@ let { imports = [ base - lib.shb.certs + shb.test.certs ]; test.hasSSL = true; @@ -72,7 +76,7 @@ let { imports = [ https - (lib.shb.backup config.shb.immich.backup) + (shb.test.backup config.shb.immich.backup) ]; }; @@ -81,8 +85,8 @@ let { imports = [ https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) ]; shb.immich.sso = { @@ -157,7 +161,7 @@ in nodes.client = { }; testScript = - (lib.shb.mkScripts { + (shb.test.mkScripts { hasSSL = args: !(isNull args.node.config.shb.immich.ssl); waitForServices = args: [ "immich-server.service" diff --git a/test/services/jellyfin.nix b/test/services/jellyfin.nix index 954cec0..c090d97 100644 --- a/test/services/jellyfin.nix +++ b/test/services/jellyfin.nix @@ -1,8 +1,8 @@ -{ pkgs, lib, ... }: +{ pkgs, shb, ... }: let port = 9096; - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.jellyfin.ssl); waitForServices = { ... }: @@ -47,7 +47,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/jellyfin.nix ]; test = { @@ -79,7 +79,7 @@ let { config, ... }: { imports = [ - lib.shb.clientLoginModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -171,7 +171,7 @@ let jellyfinTest = name: { nodes, testScript }: - lib.shb.runNixOSTest { + shb.test.runNixOSTest { name = "jellyfin_${name}"; interactive.nodes.server = { @@ -206,7 +206,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.jellyfin.backup) + (shb.test.backup config.shb.jellyfin.backup) ]; }; @@ -219,7 +219,7 @@ in nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -228,7 +228,7 @@ in { config, lib, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule clientLogin ]; }; @@ -240,7 +240,7 @@ in nodes.server = { imports = [ basic - lib.shb.ldap + shb.test.ldap ldap ]; }; @@ -256,10 +256,10 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; diff --git a/test/services/karakeep.nix b/test/services/karakeep.nix index bbba9d7..eba9131 100644 --- a/test/services/karakeep.nix +++ b/test/services/karakeep.nix @@ -1,9 +1,9 @@ -{ lib, ... }: +{ lib, shb, ... }: let nextauthSecret = "nextauthSecret"; oidcSecret = "oidcSecret"; - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.karakeep.ssl); waitForServices = { ... }: @@ -25,7 +25,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/karakeep.nix ]; @@ -77,8 +77,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { subdomain = "k"; @@ -171,7 +171,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "karakeep_basic"; nodes.client = { }; @@ -184,7 +184,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "karakeep_backup"; nodes.server = @@ -192,7 +192,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.karakeep.backup) + (shb.test.backup config.shb.karakeep.backup) ]; }; @@ -201,14 +201,14 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "karakeep_https"; nodes.client = { }; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -216,7 +216,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "karakeep_sso"; nodes.client = { @@ -231,11 +231,11 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap + shb.test.ldap ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; diff --git a/test/services/nextcloud.nix b/test/services/nextcloud.nix index 5343880..daaf1f2 100644 --- a/test/services/nextcloud.nix +++ b/test/services/nextcloud.nix @@ -1,10 +1,10 @@ -{ lib, ... }: +{ lib, shb, ... }: let adminUser = "root"; adminPass = "rootpw"; oidcSecret = "oidcSecret"; - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.nextcloud.ssl); waitForServices = { ... }: @@ -102,7 +102,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/nextcloud-server.nix ]; @@ -136,8 +136,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -176,8 +176,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -231,8 +231,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; @@ -444,7 +444,7 @@ let ''; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "nextcloud_basic"; nodes.client = { @@ -461,7 +461,7 @@ in testScript = commonTestScript.access; }; - cron = lib.shb.runNixOSTest { + cron = shb.test.runNixOSTest { name = "nextcloud_cron"; nodes.server = { @@ -504,7 +504,7 @@ in }; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "nextcloud_backup"; nodes.server = @@ -512,7 +512,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.nextcloud.backup) + (shb.test.backup config.shb.nextcloud.backup) ]; }; @@ -521,13 +521,13 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "nextcloud_https"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -538,13 +538,13 @@ in testScript = commonTestScript.access; }; - previewGenerator = lib.shb.runNixOSTest { + previewGenerator = shb.test.runNixOSTest { name = "nextcloud_previewGenerator"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https previewgenerator ]; @@ -555,13 +555,13 @@ in testScript = commonTestScript.access; }; - externalStorage = lib.shb.runNixOSTest { + externalStorage = shb.test.runNixOSTest { name = "nextcloud_externalStorage"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https externalstorage ]; @@ -575,13 +575,13 @@ in # TODO: fix memories app # See https://github.com/ibizaman/selfhostblocks/issues/476 - # memories = lib.shb.runNixOSTest { + # memories = shb.test.runNixOSTest { # name = "nextcloud_memories"; # nodes.server = { # imports = [ # basic - # lib.shb.certs + # shb.test.certs # https # memories # ]; @@ -592,13 +592,13 @@ in # testScript = commonTestScript.access; # }; - recognize = lib.shb.runNixOSTest { + recognize = shb.test.runNixOSTest { name = "nextcloud_recognize"; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https recognize ]; @@ -609,7 +609,7 @@ in testScript = commonTestScript.access; }; - ldap = lib.shb.runNixOSTest { + ldap = shb.test.runNixOSTest { name = "nextcloud_ldap"; nodes.server = @@ -617,9 +617,9 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap + shb.test.ldap ldap ]; }; @@ -633,7 +633,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "nextcloud_sso"; nodes.server = @@ -641,10 +641,10 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ( { config, ... }: @@ -674,7 +674,7 @@ in testScript = commonTestScript.access; }; - prometheus = lib.shb.runNixOSTest { + prometheus = shb.test.runNixOSTest { name = "nextcloud_prometheus"; nodes.server = diff --git a/test/services/open-webui.nix b/test/services/open-webui.nix index f40dd4e..3d9763b 100644 --- a/test/services/open-webui.nix +++ b/test/services/open-webui.nix @@ -1,8 +1,8 @@ -{ lib, ... }: +{ shb, ... }: let oidcSecret = "oidcSecret"; - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.open-webui.ssl); waitForServices = { ... }: @@ -21,7 +21,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/open-webui.nix ]; @@ -68,8 +68,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; test = { @@ -163,7 +163,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "open-webui_basic"; nodes.client = { }; @@ -176,7 +176,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "open-webui_backup"; nodes.server = @@ -184,7 +184,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.open-webui.backup) + (shb.test.backup config.shb.open-webui.backup) ]; }; @@ -193,14 +193,14 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "open-webui_https"; nodes.client = { }; nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -208,7 +208,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "open-webui_sso"; nodes.client = { @@ -221,11 +221,11 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap + shb.test.ldap ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; diff --git a/test/services/paperless.nix b/test/services/paperless.nix index 1c9f622..b0096ca 100644 --- a/test/services/paperless.nix +++ b/test/services/paperless.nix @@ -1,9 +1,13 @@ -{ pkgs, lib }: +{ + pkgs, + lib, + shb, +}: let subdomain = "p"; domain = "example.com"; - commonTestScript = lib.shb.accessScript { + commonTestScript = shb.test.accessScript { hasSSL = { node, ... }: !(isNull node.config.shb.paperless.ssl); waitForServices = { ... }: @@ -24,7 +28,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/services/paperless.nix ]; @@ -57,7 +61,7 @@ let { imports = [ base - lib.shb.certs + shb.test.certs ]; test.hasSSL = true; @@ -69,7 +73,7 @@ let { imports = [ https - (lib.shb.backup config.shb.paperless.backup) + (shb.test.backup config.shb.paperless.backup) ]; }; @@ -78,8 +82,8 @@ let { imports = [ https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) ]; shb.paperless.sso = { @@ -163,7 +167,7 @@ in nodes.client = { }; testScript = - (lib.shb.mkScripts { + (shb.test.mkScripts { hasSSL = args: !(isNull args.node.config.shb.paperless.ssl); waitForServices = args: [ "paperless-web.service" diff --git a/test/services/pinchflat.nix b/test/services/pinchflat.nix index 2aeb9c0..18475e7 100644 --- a/test/services/pinchflat.nix +++ b/test/services/pinchflat.nix @@ -1,6 +1,6 @@ -{ pkgs, lib, ... }: +{ pkgs, shb, ... }: let - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.pinchflat.ssl); waitForServices = { ... }: @@ -19,7 +19,7 @@ let { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/pinchflat.nix ]; @@ -55,8 +55,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { subdomain = "p"; @@ -101,8 +101,8 @@ let { config, ... }: { imports = [ - lib.shb.baseModule - lib.shb.clientLoginModule + shb.test.baseModule + shb.test.clientLoginModule ]; test = { subdomain = "p"; @@ -176,7 +176,7 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "pinchflat_basic"; nodes.client = { @@ -193,7 +193,7 @@ in testScript = commonTestScript.access; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "pinchflat_backup"; nodes.server = @@ -201,7 +201,7 @@ in { imports = [ basic - (lib.shb.backup config.shb.pinchflat.backup) + (shb.test.backup config.shb.pinchflat.backup) ]; }; @@ -210,7 +210,7 @@ in testScript = commonTestScript.backup; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "pinchflat_https"; nodes.client = { @@ -221,7 +221,7 @@ in nodes.server = { imports = [ basic - lib.shb.certs + shb.test.certs https ]; }; @@ -229,7 +229,7 @@ in testScript = commonTestScript.access; }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "pinchflat_sso"; nodes.client = { @@ -242,11 +242,11 @@ in { imports = [ basic - lib.shb.certs + shb.test.certs https - lib.shb.ldap + shb.test.ldap ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; diff --git a/test/services/vaultwarden.nix b/test/services/vaultwarden.nix index 4dc37a2..e05cc2e 100644 --- a/test/services/vaultwarden.nix +++ b/test/services/vaultwarden.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ shb, ... }: let - commonTestScript = lib.shb.mkScripts { + commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.vaultwarden.ssl); waitForServices = { ... }: @@ -97,12 +97,12 @@ let }; in { - basic = lib.shb.runNixOSTest { + basic = shb.test.runNixOSTest { name = "vaultwarden_basic"; nodes.server = { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/vaultwarden.nix basic @@ -114,15 +114,15 @@ in testScript = commonTestScript.access; }; - https = lib.shb.runNixOSTest { + https = shb.test.runNixOSTest { name = "vaultwarden_https"; nodes.server = { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/vaultwarden.nix - lib.shb.certs + shb.test.certs basic https ]; @@ -135,11 +135,11 @@ in # Not yet supported # - # ldap = lib.shb.runNixOSTest { + # ldap = shb.test.runNixOSTest { # name = "vaultwarden_ldap"; # # nodes.server = lib.mkMerge [ - # lib.shb.baseModule + # shb.test.baseModule # ../../modules/blocks/hardcodedsecret.nix # ../../modules/services/vaultwarden.nix # basic @@ -151,21 +151,21 @@ in # testScript = commonTestScript.access; # }; - sso = lib.shb.runNixOSTest { + sso = shb.test.runNixOSTest { name = "vaultwarden_sso"; nodes.server = { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/vaultwarden.nix - lib.shb.certs + shb.test.certs basic https - lib.shb.ldap - (lib.shb.sso config.shb.certs.certs.selfsigned.n) + shb.test.ldap + (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; @@ -196,18 +196,18 @@ in }; }; - backup = lib.shb.runNixOSTest { + backup = shb.test.runNixOSTest { name = "vaultwarden_backup"; nodes.server = { config, ... }: { imports = [ - lib.shb.baseModule + shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/vaultwarden.nix basic - (lib.shb.backup config.shb.vaultwarden.backup) + (shb.test.backup config.shb.vaultwarden.backup) ]; };