mod: use explicit shb argument to pass lib

This commit is contained in:
ibizaman 2025-11-23 01:16:37 +01:00 committed by Pierre Penninckx
parent fa4c636dbc
commit c10cab627f
76 changed files with 833 additions and 682 deletions

View file

@ -27,6 +27,7 @@ Template:
- Allow to upload big files in Immich.
- Only enable php-fpm Prometheus exporter if Nextcloud is enabled.
- Fix pkgs overrides not being passed to users of SelfHostBlocks.
## Other Changes

View file

@ -15,11 +15,13 @@
let
system = "x86_64-linux";
nixpkgs' = selfhostblocks.lib.${system}.patchedNixpkgs;
inherit (selfhostblocks.lib.${system}) pkgs;
basic =
{ config, ... }:
{
nixpkgs.overlays = [
selfhostblocks.overlays.${system}.default
];
imports = [
./configuration.nix
selfhostblocks.nixosModules.authelia
@ -105,7 +107,7 @@
in
{
nixosConfigurations = {
basic = pkgs.nixosSystem {
basic = nixpkgs'.nixosSystem {
system = "x86_64-linux";
modules = [
basic
@ -113,7 +115,7 @@
];
};
ldap = pkgs.nixosSystem {
ldap = nixpkgs'.nixosSystem {
system = "x86_64-linux";
modules = [
basic

View file

@ -19,7 +19,7 @@
nixosConfigurations =
let
system = "x86_64-linux";
shb = selfhostblocks.lib.${system};
nixpkgs' = selfhostblocks.lib.${system}.patchedNixpkgs;
# This module makes the assertions happy and the build succeed.
# This is of course wrong and will not work on any real system.
@ -31,19 +31,29 @@
{
# Test with:
# nix build .#nixosConfigurations.minimal.config.system.build.toplevel
minimal = shb.pkgs.nixosSystem {
minimal = nixpkgs'.nixosSystem {
inherit system;
modules = [
selfhostblocks.nixosModules.default
filesystemModule
{
nixpkgs.overlays = [
selfhostblocks.overlays.${system}.default
];
}
# This modules showcases the use of SHB's lib.
(
{ config, lib, ... }:
{
config,
lib,
shb,
...
}:
{
options.myOption = lib.mkOption {
# Using provided nixosSystem directly
# SHB's lib is available under `lib.shb`.
type = lib.shb.secretFileType;
# Using provided nixosSystem directly.
# SHB's lib is available under `shb` thanks to the overlay.
type = shb.secretFileType;
};
config = {
myOption.source = "/a/path";
@ -58,21 +68,31 @@
# Test with:
# nix build .#nixosConfigurations.sops.config.system.build.toplevel
# nix eval .#nixosConfigurations.sops.config.myOption
sops = shb.pkgs.nixosSystem {
sops = nixpkgs'.nixosSystem {
inherit system;
modules = [
selfhostblocks.nixosModules.default
selfhostblocks.nixosModules.sops
sops-nix.nixosModules.default
filesystemModule
{
nixpkgs.overlays = [
selfhostblocks.overlays.${system}.default
];
}
# This modules showcases the use of SHB's lib.
(
{ config, lib, ... }:
{
config,
lib,
shb,
...
}:
{
options.myOption = lib.mkOption {
# Using provided nixosSystem directly
# SHB's lib is available under `lib.shb`.
type = lib.shb.secretFileType;
# Using provided nixosSystem directly.
# SHB's lib is available under `shb` thanks to the overlay.
type = shb.secretFileType;
};
config = {
myOption.source = "/a/path";
@ -84,8 +104,7 @@
];
};
# Note: this is just to show-off a common pitfall for more advanced user.
# Prefer using the `shb.pkgs.nixosSystem` function directly.
# This example shows how to import the nixosSystem patches to nixpkgs manually.
#
# Test with:
# nix build .#nixosConfigurations.lowlevel.config.system.build.toplevel
@ -94,21 +113,83 @@
let
# We must import nixosSystem directly from the patched nixpkgs
# otherwise we do not get the patches.
nixosSystem' = import "${shb.patchedNixpkgs}/nixos/lib/eval-config.nix";
nixosSystem' = import "${nixpkgs'}/nixos/lib/eval-config.nix";
in
nixosSystem' {
inherit system;
modules = [
selfhostblocks.nixosModules.default
filesystemModule
{
nixpkgs.overlays = [
selfhostblocks.overlays.${system}.default
];
}
# This modules showcases the use of SHB's lib.
(
{ config, lib, ... }:
{
config,
lib,
shb,
...
}:
{
options.myOption = lib.mkOption {
# lib.shb.secretFileType is not available here,
# so we must pass around the shb flake input.
# type = shb.secretFileType;
# Using provided nixosSystem directly.
# SHB's lib is available under `shb` thanks to the overlay.
type = shb.secretFileType;
};
config = {
myOption.source = "/a/path";
# Use the option.
environment.etc.myOption.text = config.myOption.source;
};
}
)
];
};
# This example shows how to apply patches to nixpkgs manually.
#
# Test with:
# nix build .#nixosConfigurations.manual.config.system.build.toplevel
# nix eval .#nixosConfigurations.manual.config.myOption
manual =
let
pkgs = import selfhostblocks.inputs.nixpkgs {
inherit system;
};
nixpkgs' = pkgs.applyPatches {
name = "nixpkgs-patched";
src = selfhostblocks.inputs.nixpkgs;
patches = selfhostblocks.lib.${system}.patches;
};
# We must import nixosSystem directly from the patched nixpkgs
# otherwise we do not get the patches.
nixosSystem' = import "${nixpkgs'}/nixos/lib/eval-config.nix";
in
nixosSystem' {
inherit system;
modules = [
selfhostblocks.nixosModules.default
filesystemModule
{
nixpkgs.overlays = [
selfhostblocks.overlays.${system}.default
];
}
# This modules showcases the use of SHB's lib.
(
{
config,
lib,
shb,
...
}:
{
options.myOption = lib.mkOption {
# Using provided nixosSystem directly.
# SHB's lib is available under `shb` thanks to the overlay.
type = shb.secretFileType;
};
config = {

View file

@ -15,7 +15,6 @@
let
system = "x86_64-linux";
nixpkgs' = selfhostblocks.lib.${system}.patchedNixpkgs;
inherit (selfhostblocks.lib.${system}) pkgs;
basic =
{ config, ... }:
@ -178,14 +177,14 @@
in
{
nixosConfigurations = {
basic = pkgs.nixosSystem {
basic = nixpkgs'.nixosSystem {
system = "x86_64-linux";
modules = [
sopsConfig
basic
];
};
ldap = pkgs.nixosSystem {
ldap = nixpkgs'.nixosSystem {
system = "x86_64-linux";
modules = [
sopsConfig
@ -193,7 +192,7 @@
ldap
];
};
sso = pkgs.nixosSystem {
sso = nixpkgs'.nixosSystem {
system = "x86_64-linux";
modules = [
sopsConfig

View file

@ -445,7 +445,7 @@ A simplified test for a secret contract would look like the following.
First, there is the generic test:
```nix
{ pkgs, lib, ... }:
{ pkgs, lib, shb, ... }:
let
inherit (lib) getAttrFromPath setAttrByPath;
in
@ -455,7 +455,7 @@ in
modules ? [],
owner ? "root",
content ? "secretPasswordA",
}: lib.shb.runNixOSTest {
}: shb.test.runNixOSTest {
inherit name;
nodes.machine = { config, ... }: {

View file

@ -4385,9 +4385,6 @@
"usage-flake-tag": [
"usage.html#usage-flake-tag"
],
"usage-lib": [
"usage.html#usage-lib"
],
"usage-secrets": [
"usage.html#usage-secrets"
]

View file

@ -295,12 +295,12 @@ let
in {
# Test variants (all 6 required)
basic = lib.shb.runNixOSTest { ... };
backup = lib.shb.runNixOSTest { ... };
https = lib.shb.runNixOSTest { ... };
ldap = lib.shb.runNixOSTest { ... };
monitoring = lib.shb.runNixOSTest { ... };
sso = lib.shb.runNixOSTest { ... };
basic = lib.shb.test.runNixOSTest { ... };
backup = lib.shb.test.runNixOSTest { ... };
https = lib.shb.test.runNixOSTest { ... };
ldap = lib.shb.test.runNixOSTest { ... };
monitoring = lib.shb.test.runNixOSTest { ... };
sso = lib.shb.test.runNixOSTest { ... };
}
```

View file

@ -4,11 +4,6 @@
## Flake {#usage-flake}
::: {.note}
A complete minimal and buildable example can be found at
[`./demo/minimal/flake.nix`](@REPO@/demo/minimal/flake.nix).
:::
Self Host Blocks is available as a flake. It also uses its own `pkgs.lib` and
`nixpkgs` and it is required to use the provided ones as input for your
deployments, otherwise you might end up blocked when Self Host Blocks patches a
@ -35,6 +30,13 @@ Host Blocks:
}
```
::: {.note}
For seasoned nixers or if you want to add your patches and overlays,
SHB provides a decomposed version of the `nixosSystem` function above.
For more examples, see the buildable examples at
[`./demo/minimal/flake.nix`](@REPO@/demo/minimal/flake.nix).
:::
If you use `sops-nix` for secrets, SHB provides an additional module, not
imported in the `default` module. It can be added by importing
@ -43,32 +45,6 @@ inputs.sops-nix.nixosModules.default
inputs.selfhostblocks.nixosModules.sops
```
### SHB Lib {#usage-flake-lib}
Providing patches to downstream users is finicky, to say the least. For example,
using `selfhostblocks.inputs.nixpkgs` directly will _not_ work. So Self Host
Blocks provides a few attributes under the `selfhostblocks.lib.${system}` flake
output:
- At the top-level, all functions defined by SHB under
[`./lib/default.nix`](@REPO@/lib/default.nix) and
[`./test/common.nix`](@REPO@/test/common.nix).
- `patches`: the list of patches applied by SHB [`./patches`](@REPO@/patches) to
nixpkgs.
- `contracts`: all contract modules.
- `patchNixpkgs`: a re-export of `nixpkgs.legacyPackages.${system}.applyPatches`
with the arguments made a bit more explicit.
- `patchedNixpkgs`: nixpkgs with `patches` applied.
- `pkgs`: `nixpkgs.legacyPackages.${system}` with `patches` applied and also:
- `config.allowUnfree` set to `true`
- `lib.shb` holds functions defined by
[`./lib/default.nix`](@REPO@/lib/default.nix)
- `lib.evalModules` is patched to include patches provided by nixpkgs
- `nixosSystem` is patched to include patches provided by nixpkgs
For normal usage, one should only need the provided `.nixosSystem`, `.pkgs` and
in some cases `.nixpkgs`.
### Substituter {#usage-flake-substituter}
You can also use the public cache as a substituter with:
@ -104,9 +80,11 @@ automatically merging the new `nixpkgs` version. The setup is explained in
[repo]: https://github.com/ibizaman/selfhostblocks
[automerge]: https://blog.tiserbox.com/posts/2023-12-25-automated-flake-lock-update-pull-requests-and-merging.html
### Use SelfHostBlocks' lib {#usage-lib}
### SHB Lib {#usage-flake-lib}
Access any functions exposed by the [lib][lib] with this snippet:
Providing patches to downstream users is finicky, to say the least.
For example, using `selfhostblocks.inputs.nixpkgs` directly will _not_ work.
So Self Host Blocks provides a few attributes under the `selfhostblocks.lib.${system}` flake output:
```nix
{
@ -115,15 +93,32 @@ Access any functions exposed by the [lib][lib] with this snippet:
};
outputs = { selfhostblocks, ... }:
let
lib = selfhostblocks.lib.${system};
shb = selfhostblocks.lib.${system};
in
{
// Use lib.shb.replaceSecrets for example.
// Use shb.replaceSecrets for example.
}
}
```
[lib]: https://github.com/ibizaman/selfhostblocks/blob/main/lib/default.nix
- At the top-level, all functions defined by SHB under
[`./lib/default.nix`](@REPO@/lib/default.nix) and
[`./test/common.nix`](@REPO@/test/common.nix).
- `patches`: the list of patches applied by SHB [`./patches`](@REPO@/patches) to
nixpkgs.
- `contracts`: all contract modules.
- `patchNixpkgs`: a re-export of `nixpkgs.legacyPackages.${system}.applyPatches`
with the arguments made a bit more explicit.
- `patchedNixpkgs`: nixpkgs with `patches` applied.
- `pkgs`: `nixpkgs.legacyPackages.${system}` with `patches` applied and also:
- `config.allowUnfree` set to `true`
- `lib.shb` holds functions defined by
[`./lib/default.nix`](@REPO@/lib/default.nix)
- `lib.evalModules` is patched to include patches provided by nixpkgs
- `nixosSystem` is patched to include patches provided by nixpkgs
For normal usage, one should only need the provided `.nixosSystem`, `.pkgs` and
in some cases `.nixpkgs`.
## Example Deployment with Nixos-Rebuild {#usage-example-nixosrebuild}
@ -138,19 +133,13 @@ deployment system [nixos-rebuild][nixos-rebuild].
selfhostblocks.url = "github:ibizaman/selfhostblocks";
};
outputs = {
self,
selfhostblocks,
}: let
outputs = { self, selfhostblocks }: let
system = "x86_64-linux";
lib = selfhostblocks.lib.${system};
nixpkgs' = lib.shb.patchedNixpkgs;
nixosSystem' = import "${nixpkgs'}/nixos/lib/eval-config.nix";
pkgs' = selfhostblocks.lib.${system}.pkgs;
in {
nixosConfigurations = {
machine = nixosSystem' {
machine = pkgs'.nixosSystem {
inherit system;
modules = [
selfhostblocks.nixosModules.default

108
flake.nix
View file

@ -46,46 +46,23 @@
src = nixpkgs;
inherit patches;
};
patchedNixpkgs = (
patchNixpkgs {
nixpkgs = inputs.nixpkgs;
patches = shbPatches;
inherit system;
}
);
patchedNixpkgs =
let
patched = patchNixpkgs {
nixpkgs = inputs.nixpkgs;
patches = shbPatches;
inherit system;
};
in
patched
// {
nixosSystem = args: import "${patched}/nixos/lib/eval-config.nix" args;
};
pkgs = import patchedNixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [
(final: prev: {
lib = prev.lib // {
shb = self.lib.${system};
evalModules =
args:
((prev.lib.makeOverridable prev.lib.evalModules) args).override (prevAttrs: {
specialArgs = (prevAttrs.specialArgs or { }) // {
inherit (pkgs) lib;
};
});
};
nixosSystem =
args:
((prev.lib.makeOverridable (import "${patchedNixpkgs}/nixos/lib/eval-config.nix")) args).override
(prevAttrs: {
inherit (pkgs) lib;
});
prometheus-systemd-exporter = prev.prometheus-systemd-exporter.overrideAttrs {
src = pkgs.fetchFromGitHub {
owner = "ibizaman";
repo = prev.prometheus-systemd-exporter.pname;
# rev = "v${prev.prometheus-systemd-exporter.version}";
rev = "next_timer";
sha256 = "sha256-jzkh/616tsJbNxFtZ0xbdBQc16TMIYr9QOkPaeQw8xA=";
};
vendorHash = "sha256-4hsQ1417jLNOAqGkfCkzrmEtYR4YLLW2j0CiJtPg6GI=";
};
})
self.overlays.${system}.default
];
};
@ -231,26 +208,47 @@
'';
});
lib =
(pkgs.callPackage ./lib { })
// (pkgs.callPackage ./test/common.nix { })
// {
contracts = pkgs.callPackage ./modules/contracts { };
patches = shbPatches;
inherit patchNixpkgs patchedNixpkgs pkgs;
lib = (pkgs.callPackage ./lib { }) // {
test = pkgs.callPackage ./test/common.nix { };
contracts = pkgs.callPackage ./modules/contracts {
shb = self.lib.${system};
};
patches = shbPatches;
inherit patchNixpkgs patchedNixpkgs;
};
overlays.default = final: prev: {
# shb = self.nixosModules.lib;
prometheus-systemd-exporter = prev.prometheus-systemd-exporter.overrideAttrs {
src = pkgs.fetchFromGitHub {
owner = "ibizaman";
repo = prev.prometheus-systemd-exporter.pname;
# rev = "v${prev.prometheus-systemd-exporter.version}";
rev = "next_timer";
sha256 = "sha256-jzkh/616tsJbNxFtZ0xbdBQc16TMIYr9QOkPaeQw8xA=";
};
vendorHash = "sha256-4hsQ1417jLNOAqGkfCkzrmEtYR4YLLW2j0CiJtPg6GI=";
};
};
checks =
let
inherit (pkgs.lib)
foldl
foldlAttrs
removeAttrs
mergeAttrs
optionalAttrs
;
importFiles = files: map (m: pkgs.callPackage m { }) files;
importFiles =
files:
map (
m:
pkgs.callPackage m {
shb = self.lib.${system};
}
) files;
mergeTests = foldl mergeAttrs { };
@ -267,15 +265,19 @@
vm_test =
name: path:
flattenAttrs "vm_${name}" (
removeAttrs (pkgs.callPackage path { }) [
"override"
"overrideDerivation"
]
removeAttrs
(pkgs.callPackage path {
shb = self.lib.${system};
})
[
"override"
"overrideDerivation"
]
);
in
(optionalAttrs (system == "x86_64-linux") (
{
modules = pkgs.lib.shb.check {
modules = self.lib.${system}.check {
inherit pkgs;
tests = mergeTests (importFiles [
./test/modules/davfs.nix
@ -287,7 +289,9 @@
# TODO: Make this not use IFD
lib = nix-flake-tests.lib.check {
inherit pkgs;
tests = pkgs.callPackage ./test/modules/lib.nix { };
tests = pkgs.callPackage ./test/modules/lib.nix {
shb = self.lib.${system};
};
};
}
// (vm_test "arr" ./test/services/arr.nix)
@ -416,6 +420,8 @@
];
};
nixosModules.lib = lib/module.nix;
nixosModules.authelia = modules/blocks/authelia.nix;
nixosModules.borgbackup = modules/blocks/borgbackup.nix;
nixosModules.davfs = modules/blocks/davfs.nix;

10
lib/module.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, lib, ... }:
let
shb = (import ./default.nix { inherit pkgs lib; });
in
{
_module.args.shb = shb // {
test = pkgs.callPackage ../test/common.nix { };
contracts = pkgs.callPackage ../modules/contracts { inherit shb; };
};
}

View file

@ -3,6 +3,7 @@
options,
pkgs,
lib,
shb,
...
}:
@ -10,8 +11,6 @@ let
cfg = config.shb.authelia;
opt = options.shb.authelia;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
fqdnWithPort = if isNull cfg.port then fqdn else "${fqdn}:${toString cfg.port}";
@ -23,6 +22,7 @@ let
in
{
imports = [
../../lib/module.nix
./lldap.nix
./mitmdump.nix
./postgresql.nix
@ -51,7 +51,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -86,7 +86,7 @@ in
jwtSecret = lib.mkOption {
description = "JWT secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
@ -96,7 +96,7 @@ in
ldapAdminPassword = lib.mkOption {
description = "LDAP admin user password.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
@ -106,7 +106,7 @@ in
sessionSecret = lib.mkOption {
description = "Session secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
@ -116,7 +116,7 @@ in
storageEncryptionKey = lib.mkOption {
description = "Storage encryption key.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
@ -126,7 +126,7 @@ in
identityProvidersOIDCHMACSecret = lib.mkOption {
description = "Identity provider OIDC HMAC secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
@ -140,7 +140,7 @@ in
Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048`
'';
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
@ -204,7 +204,7 @@ in
};
client_secret = lib.mkOption {
type = lib.shb.secretFileType;
type = shb.secretFileType;
description = ''
File containing the shared secret with the OIDC client.
@ -311,7 +311,7 @@ in
password = lib.mkOption {
description = "File containing the password to connect to the SMTP host.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${fqdn}" ];
@ -331,7 +331,7 @@ in
};
mount = lib.mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration. This is an output option.
@ -354,7 +354,7 @@ in
};
mountRedis = lib.mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration for Redis. This is an output option.
@ -554,12 +554,12 @@ in
let
mkCfg =
clients:
lib.shb.replaceSecrets {
shb.replaceSecrets {
userConfig = {
identity_providers.oidc.clients = clients;
};
resultPath = "/var/lib/authelia-${fqdn}/oidc_clients.yaml";
generator = lib.shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { });
generator = shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { });
};
in
lib.mkBefore (

View file

@ -3,14 +3,13 @@
pkgs,
lib,
utils,
shb,
...
}:
let
cfg = config.shb.borgbackup;
contracts = pkgs.callPackage ../contracts { };
inherit (lib)
concatStringsSep
filterAttrs
@ -56,7 +55,7 @@ let
passphrase = lib.mkOption {
description = "Encryption key for the backup repository.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = config.request.user;
ownerText = "[shb.borgbackup.${prefix}.<name>.request.user](#blocks-borgbackup-options-shb.borgbackup.${prefix}._name_.request.user)";
@ -76,7 +75,7 @@ let
};
secrets = mkOption {
type = attrsOf lib.shb.secretFileType;
type = attrsOf shb.secretFileType;
default = { };
description = ''
Secrets needed to access the repository where the backups will be stored.
@ -157,15 +156,19 @@ let
fullName = name: repository: "borgbackup-job-${name}_${repoSlugName repository.path}";
in
{
imports = [
../../lib/module.nix
];
options.shb.borgbackup = {
instances = mkOption {
description = "Files to backup following the [backup contract](./contracts-backup.html).";
description = "Files to backup following the [backup contract](./shb.contracts-backup.html).";
default = { };
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = contracts.backup.mkProvider {
options = shb.contracts.backup.mkProvider {
settings = mkOption {
description = ''
Settings specific to the BorgBackup provider.
@ -193,13 +196,13 @@ in
};
databases = mkOption {
description = "Databases to backup following the [database backup contract](./contracts-databasebackup.html).";
description = "Databases to backup following the [database backup contract](./shb.contracts-databasebackup.html).";
default = { };
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = contracts.databasebackup.mkProvider {
options = shb.contracts.databasebackup.mkProvider {
settings = mkOption {
description = ''
Settings specific to the BorgBackup provider.
@ -397,10 +400,10 @@ in
"${serviceName}-pre" = mkIf (instance.settings.repository.secrets != { }) (
let
script = lib.shb.genConfigOutOfBandSystemd {
script = shb.genConfigOutOfBandSystemd {
config = instance.settings.repository.secrets;
configLocation = "/run/secrets_borgbackup/${serviceName}";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
user = instance.request.user;
};
in
@ -424,13 +427,13 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = (
lib.shb.replaceSecrets {
shb.replaceSecrets {
userConfig = instance.settings.repository.secrets // {
BORG_PASSCOMMAND = ''"cat ${instance.settings.passphrase.result.path}"'';
BORG_REPO = instance.settings.repository.path;
};
resultPath = "/run/secrets_borgbackup_env/${fullName name instance.settings.repository}";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
user = instance.request.user;
}
);

View file

@ -118,7 +118,7 @@ Here we will only highlight the differences with the previous configuration.
This assumes you have access to such a remote S3 store, for example by using [Backblaze](https://www.backblaze.com/).
```diff
shb.backup.instances.myservice = {
shb.test.backup.instances.myservice = {
repository = {
- path = "/srv/pool1/backups/myfolder";
@ -211,15 +211,15 @@ backupcfg = repositories: name: sourceDirectories {
Now, we can define multiple backup jobs to backup different folders:
```nix
shb.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"];
shb.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"];
shb.test.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"];
shb.test.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"];
```
The difference between the above snippet and putting all the folders into one configuration (shown
below) is the former splits the backups into sub-folders on the repositories.
```nix
shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"];
shb.test.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"];
```
## Monitoring {#blocks-borgbackup-monitoring}

View file

@ -2,13 +2,12 @@
config,
lib,
pkgs,
shb,
...
}:
let
cfg = config.shb.hardcodedsecret;
contracts = pkgs.callPackage ../contracts { };
inherit (lib) mapAttrs' mkOption nameValuePair;
inherit (lib.types)
attrsOf
@ -19,6 +18,10 @@ let
inherit (pkgs) writeText;
in
{
imports = [
../../lib/module.nix
];
options.shb.hardcodedsecret = mkOption {
default = { };
description = ''
@ -40,7 +43,7 @@ in
submodule (
{ name, ... }:
{
options = contracts.secret.mkProvider {
options = shb.contracts.secret.mkProvider {
settings = mkOption {
description = ''
Settings specific to the hardcoded secret module.

View file

@ -2,14 +2,13 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.lldap;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
inherit (lib) mkOption types;
@ -54,6 +53,7 @@ let
in
{
imports = [
../../lib/module.nix
./mitmdump.nix
(lib.mkRenamedOptionModule [ "shb" "ldap" ] [ "shb" "lldap" ])
@ -88,7 +88,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -101,7 +101,7 @@ in
ldapUserPassword = lib.mkOption {
description = "LDAP admin user secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "lldap";
group = "lldap";
@ -113,7 +113,7 @@ in
jwtSecret = lib.mkOption {
description = "JWT secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "lldap";
group = "lldap";
@ -136,7 +136,7 @@ in
};
mount = lib.mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration. This is an output option.
@ -160,7 +160,7 @@ in
Backup configuration.
'';
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
# TODO: is there a workaround that avoid needing to use root?
# root because otherwise we cannot access the private StateDiretory
user = "root";
@ -203,7 +203,7 @@ in
password = mkOption {
description = "Password.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "lldap";
group = "lldap";

View file

@ -2,14 +2,13 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.monitoring;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
commonLabels = {
@ -49,7 +48,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -112,7 +111,7 @@ in
adminPassword = lib.mkOption {
description = "Initial admin password.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "grafana";
group = "grafana";
@ -124,7 +123,7 @@ in
secretKey = lib.mkOption {
description = "Secret key used for signing.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "grafana";
group = "grafana";
@ -226,7 +225,7 @@ in
sharedSecret = lib.mkOption {
description = "OIDC shared secret for Grafana.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "grafana";
restartUnits = [
"grafana.service"
@ -238,7 +237,7 @@ in
sharedSecretForAuthelia = lib.mkOption {
description = "OIDC shared secret for Authelia. Must be the same as `sharedSecret`";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
ownerText = "config.shb.authelia.autheliaUser";
owner = config.shb.authelia.autheliaUser;

View file

@ -1,15 +1,13 @@
{
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.nginx;
contracts = pkgs.callPackage ../contracts { };
fqdn = c: "${c.subdomain}.${c.domain}";
vhostConfig = lib.types.submodule {
@ -28,7 +26,7 @@ let
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};

View file

@ -2,11 +2,11 @@
config,
lib,
pkgs,
shb,
...
}:
let
cfg = config.shb.postgresql;
contracts = pkgs.callPackage ../contracts { };
upgrade-script =
old: new:
@ -39,6 +39,10 @@ let
'';
in
{
imports = [
../../lib/module.nix
];
options.shb.postgresql = {
debug = lib.mkOption {
type = lib.types.bool;
@ -63,7 +67,7 @@ in
default = { };
type = lib.types.submodule {
options = contracts.databasebackup.mkRequester {
options = shb.contracts.databasebackup.mkRequester {
user = "postgres";
backupName = "postgres.sql";

View file

@ -2,6 +2,7 @@
config,
pkgs,
lib,
shb,
utils,
...
}:
@ -9,8 +10,6 @@
let
cfg = config.shb.restic;
contracts = pkgs.callPackage ../contracts { };
inherit (lib)
concatStringsSep
filterAttrs
@ -60,7 +59,7 @@ let
passphrase = lib.mkOption {
description = "Encryption key for the backup repository.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = config.request.user;
ownerText = "[shb.restic.${prefix}.<name>.request.user](#blocks-restic-options-shb.restic.${prefix}._name_.request.user)";
@ -80,7 +79,7 @@ let
};
secrets = mkOption {
type = attrsOf lib.shb.secretFileType;
type = attrsOf shb.secretFileType;
default = { };
description = ''
Secrets needed to access the repository where the backups will be stored.
@ -148,15 +147,19 @@ let
fullName = name: repository: "restic-backups-${name}_${repoSlugName repository.path}";
in
{
imports = [
../../lib/module.nix
];
options.shb.restic = {
instances = mkOption {
description = "Files to backup following the [backup contract](./contracts-backup.html).";
description = "Files to backup following the [backup contract](./shb.contracts-backup.html).";
default = { };
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = contracts.backup.mkProvider {
options = shb.contracts.backup.mkProvider {
settings = mkOption {
description = ''
Settings specific to the Restic provider.
@ -184,13 +187,13 @@ in
};
databases = mkOption {
description = "Databases to backup following the [database backup contract](./contracts-databasebackup.html).";
description = "Databases to backup following the [database backup contract](./shb.contracts-databasebackup.html).";
default = { };
type = attrsOf (
submodule (
{ name, config, ... }:
{
options = contracts.databasebackup.mkProvider {
options = shb.contracts.databasebackup.mkProvider {
settings = mkOption {
description = ''
Settings specific to the Restic provider.
@ -380,10 +383,10 @@ in
"${serviceName}-pre" = mkIf (instance.settings.repository.secrets != { }) (
let
script = lib.shb.genConfigOutOfBandSystemd {
script = shb.genConfigOutOfBandSystemd {
config = instance.settings.repository.secrets;
configLocation = "/run/secrets_restic/${serviceName}";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
user = instance.request.user;
};
in
@ -407,13 +410,13 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = (
lib.shb.replaceSecrets {
shb.replaceSecrets {
userConfig = instance.settings.repository.secrets // {
RESTIC_PASSWORD_FILE = toString instance.settings.passphrase.result.path;
RESTIC_REPOSITORY = instance.settings.repository.path;
};
resultPath = "/run/secrets_restic_env/${fullName name instance.settings.repository}";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
user = instance.request.user;
}
);

View file

@ -118,7 +118,7 @@ Here we will only highlight the differences with the previous configuration.
This assumes you have access to such a remote S3 store, for example by using [Backblaze](https://www.backblaze.com/).
```diff
shb.backup.instances.myservice = {
shb.test.backup.instances.myservice = {
repository = {
- path = "/srv/pool1/backups/myfolder";
@ -211,15 +211,15 @@ backupcfg = repositories: name: sourceDirectories {
Now, we can define multiple backup jobs to backup different folders:
```nix
shb.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"];
shb.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"];
shb.test.backup.instances.myfolder1 = backupcfg repos ["/var/lib/myfolder1"];
shb.test.backup.instances.myfolder2 = backupcfg repos ["/var/lib/myfolder2"];
```
The difference between the above snippet and putting all the folders into one configuration (shown
below) is the former splits the backups into sub-folders on the repositories.
```nix
shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"];
shb.test.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfolder2"];
```
## Monitoring {#blocks-restic-monitoring}

View file

@ -1,18 +1,20 @@
{
config,
lib,
pkgs,
shb,
...
}:
let
inherit (lib) mapAttrs mkOption;
inherit (lib.types) attrsOf anything submodule;
contracts = pkgs.callPackage ../contracts { };
cfg = config.shb.sops;
in
{
imports = [
../../lib/module.nix
];
options.shb.sops = {
secret = mkOption {
description = "Secret following the [secret contract](./contracts-secret.html).";
@ -21,7 +23,7 @@ in
submodule (
{ name, options, ... }:
{
options = contracts.secret.mkProvider {
options = shb.contracts.secret.mkProvider {
settings = mkOption {
description = ''
Settings specific to the Sops provider.

View file

@ -2,14 +2,13 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.certs;
contracts = pkgs.callPackage ../contracts { };
inherit (builtins) dirOf;
inherit (lib)
flatten
@ -20,6 +19,10 @@ let
;
in
{
imports = [
../../lib/module.nix
];
options.shb.certs = {
systemdService = lib.mkOption {
description = ''
@ -51,7 +54,7 @@ in
This option implements the SSL Generator contract.
'';
type = contracts.ssl.certs-paths;
type = shb.contracts.ssl.certs-paths;
default = {
key = "/var/lib/certs/cas/${config._module.args.name}.key";
cert = "/var/lib/certs/cas/${config._module.args.name}.cert";
@ -81,7 +84,7 @@ in
{
options = {
ca = lib.mkOption {
type = lib.types.nullOr contracts.ssl.cas;
type = lib.types.nullOr shb.contracts.ssl.cas;
description = ''
CA used to generate this certificate. Only used for self-signed.
@ -128,7 +131,7 @@ in
This option implements the SSL Generator contract.
'';
type = contracts.ssl.certs-paths;
type = shb.contracts.ssl.certs-paths;
default = {
key = "/var/lib/certs/selfsigned/${config._module.args.name}.key";
cert = "/var/lib/certs/selfsigned/${config._module.args.name}.cert";
@ -196,7 +199,7 @@ in
This option implements the SSL Generator contract.
'';
type = contracts.ssl.certs-paths;
type = shb.contracts.ssl.certs-paths;
default = {
key = "/var/lib/acme/${config._module.args.name}/key.pem";
cert = "/var/lib/acme/${config._module.args.name}/cert.pem";

View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, shb, ... }:
let
inherit (lib)
concatStringsSep
@ -13,7 +13,7 @@ let
submodule
str
;
inherit (lib.shb) anyNotNull;
inherit (shb) anyNotNull;
in
{
mkRequest =

View file

@ -1,11 +1,13 @@
{ pkgs, lib, ... }:
{ lib, shb, ... }:
let
contracts = pkgs.callPackage ../. { };
inherit (lib) mkOption;
inherit (lib.types) submodule;
in
{
imports = [
../../../lib/module.nix
];
options.shb.contracts.backup = mkOption {
description = ''
Contract for backing up files
@ -23,7 +25,7 @@ in
'';
type = submodule {
options = contracts.backup.contract;
options = shb.contracts.backup.contract;
};
};
}

View file

@ -1,4 +1,8 @@
{ pkgs, lib }:
{
pkgs,
lib,
shb,
}:
let
inherit (lib)
concatMapStringsSep
@ -20,13 +24,13 @@ in
settings, # { repository, config } -> attrset
extraConfig ? null, # { username, config } -> attrset
}:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
inherit name;
nodes.machine =
{ config, ... }:
{
imports = [ lib.shb.baseImports ] ++ modules;
imports = [ shb.test.baseImports ] ++ modules;
config = lib.mkMerge [
(setAttrByPath providerRoot {

View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, shb, ... }:
let
inherit (lib)
mkOption
@ -8,7 +8,7 @@ let
optionalString
;
inherit (lib.types) submodule str;
inherit (lib.shb) anyNotNull;
inherit (shb) anyNotNull;
in
{
mkRequest =

View file

@ -1,11 +1,13 @@
{ pkgs, lib, ... }:
{ lib, shb, ... }:
let
contracts = pkgs.callPackage ../. { };
inherit (lib) mkOption;
inherit (lib.types) submodule;
in
{
imports = [
../../../lib/module.nix
];
options.shb.contracts.databasebackup = mkOption {
description = ''
Contract for database backup between a requester module
@ -23,7 +25,7 @@ in
'';
type = submodule {
options = contracts.databasebackup.contract;
options = shb.contracts.databasebackup.contract;
};
};
}

View file

@ -1,4 +1,8 @@
{ pkgs, lib }:
{
pkgs,
lib,
shb,
}:
let
inherit (lib)
getAttrFromPath
@ -16,13 +20,13 @@ in
database ? "me",
settings, # { repository, config } -> attrset
}:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
inherit name;
nodes.machine =
{ config, ... }:
{
imports = [ lib.shb.baseImports ] ++ modules;
imports = [ shb.test.baseImports ] ++ modules;
config = lib.mkMerge [
(setAttrByPath providerRoot {
request = (getAttrFromPath requesterRoot config).request;

View file

@ -1,4 +1,8 @@
{ pkgs, lib }:
{
pkgs,
lib,
shb,
}:
let
inherit (lib) mkOption optionalAttrs;
inherit (lib.types) anything;
@ -44,7 +48,7 @@ let
importContract =
module:
let
importedModule = pkgs.callPackage module { };
importedModule = pkgs.callPackage module { inherit shb; };
in
mkContractFunctions {
inherit (importedModule) mkRequest mkResult;
@ -57,8 +61,8 @@ in
secret = importContract ./secret.nix;
ssl = pkgs.callPackage ./ssl.nix { };
test = {
secret = pkgs.callPackage ./secret/test.nix { };
databasebackup = pkgs.callPackage ./databasebackup/test.nix { };
backup = pkgs.callPackage ./backup/test.nix { };
secret = pkgs.callPackage ./secret/test.nix { inherit shb; };
databasebackup = pkgs.callPackage ./databasebackup/test.nix { inherit shb; };
backup = pkgs.callPackage ./backup/test.nix { inherit shb; };
};
}

View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, shb, ... }:
let
inherit (lib)
concatStringsSep
@ -8,7 +8,7 @@ let
optionalString
;
inherit (lib.types) listOf submodule str;
inherit (lib.shb) anyNotNull;
inherit (shb) anyNotNull;
in
{
mkRequest =

View file

@ -1,11 +1,13 @@
{ pkgs, lib, ... }:
{ lib, shb, ... }:
let
contracts = pkgs.callPackage ../. { };
inherit (lib) mkOption;
inherit (lib.types) submodule;
in
{
imports = [
../../../lib/module.nix
];
options.shb.contracts.secret = mkOption {
description = ''
Contract for secrets between a requester module
@ -21,7 +23,7 @@ in
through the `result.*` options.
'';
type = submodule {
options = contracts.secret.contract;
options = shb.contracts.secret.contract;
};
};
}

View file

@ -1,4 +1,8 @@
{ pkgs, lib }:
{
pkgs,
lib,
shb,
}:
let
inherit (lib) getAttrFromPath setAttrByPath;
inherit (lib) mkIf;
@ -13,13 +17,13 @@ in
mode ? "0400",
restartUnits ? [ "myunit.service" ],
}:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "secret_${name}_${owner}_${group}_${mode}";
nodes.machine =
{ config, ... }:
{
imports = [ lib.shb.baseImports ] ++ modules;
imports = [ shb.test.baseImports ] ++ modules;
config = lib.mkMerge [
(setAttrByPath configRoot {
A = {

View file

@ -1,10 +1,11 @@
{ pkgs, lib, ... }:
let
contracts = pkgs.callPackage ../. { };
in
{ lib, shb, ... }:
{
imports = [
../../../lib/module.nix
];
options.shb.contracts.ssl = lib.mkOption {
description = "Contract for SSL Certificate generator.";
type = contracts.ssl.certs;
type = shb.contracts.ssl.certs;
};
}

View file

@ -2,17 +2,16 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.arr;
contracts = pkgs.callPackage ../contracts { };
apps = {
radarr = {
settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; };
settingsFormat = shb.formatXML { enclosingRoot = "Config"; };
moreOptions = {
settings = lib.mkOption {
description = "Specific options for radarr.";
@ -21,7 +20,7 @@ let
freeformType = apps.radarr.settingsFormat.type;
options = {
ApiKey = lib.mkOption {
type = lib.shb.secretFileType;
type = shb.secretFileType;
description = "Path to api key secret file.";
};
LogLevel = lib.mkOption {
@ -73,7 +72,7 @@ let
};
};
sonarr = {
settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; };
settingsFormat = shb.formatXML { enclosingRoot = "Config"; };
moreOptions = {
settings = lib.mkOption {
description = "Specific options for sonarr.";
@ -82,7 +81,7 @@ let
freeformType = apps.sonarr.settingsFormat.type;
options = {
ApiKey = lib.mkOption {
type = lib.shb.secretFileType;
type = shb.secretFileType;
description = "Path to api key secret file.";
};
LogLevel = lib.mkOption {
@ -129,7 +128,7 @@ let
};
};
bazarr = {
settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; };
settingsFormat = shb.formatXML { enclosingRoot = "Config"; };
moreOptions = {
settings = lib.mkOption {
description = "Specific options for bazarr.";
@ -157,7 +156,7 @@ let
};
};
readarr = {
settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; };
settingsFormat = shb.formatXML { enclosingRoot = "Config"; };
moreOptions = {
settings = lib.mkOption {
description = "Specific options for readarr.";
@ -184,7 +183,7 @@ let
};
};
lidarr = {
settingsFormat = lib.shb.formatXML { enclosingRoot = "Config"; };
settingsFormat = shb.formatXML { enclosingRoot = "Config"; };
moreOptions = {
settings = lib.mkOption {
description = "Specific options for lidarr.";
@ -220,7 +219,7 @@ let
freeformType = apps.jackett.settingsFormat.type;
options = {
ApiKey = lib.mkOption {
type = lib.shb.secretFileType;
type = shb.secretFileType;
description = "Path to api key secret file.";
};
FlareSolverrUrl = lib.mkOption {
@ -229,7 +228,7 @@ let
default = null;
};
OmdbApiKey = lib.mkOption {
type = lib.types.nullOr lib.shb.secretFileType;
type = lib.types.nullOr shb.secretFileType;
description = "File containing the Open Movie Database API key.";
default = null;
};
@ -341,7 +340,7 @@ let
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -358,7 +357,7 @@ let
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = name;
sourceDirectories = [
cfg.${name}.dataDir
@ -379,6 +378,7 @@ let
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -398,7 +398,7 @@ in
dataDir = "/var/lib/radarr";
};
systemd.services.radarr.preStart = lib.shb.replaceSecrets {
systemd.services.radarr.preStart = shb.replaceSecrets {
userConfig =
cfg'.settings
// (lib.optionalAttrs isSSOEnabled {
@ -406,7 +406,7 @@ in
AuthenticationMethod = "External";
});
resultPath = "${config.services.radarr.dataDir}/config.xml";
generator = lib.shb.replaceSecretsFormatAdapter apps.radarr.settingsFormat;
generator = shb.replaceSecretsFormatAdapter apps.radarr.settingsFormat;
};
shb.nginx.vhosts = [ (vhosts { } cfg') ];
@ -429,7 +429,7 @@ in
extraGroups = [ "media" ];
};
systemd.services.sonarr.preStart = lib.shb.replaceSecrets {
systemd.services.sonarr.preStart = shb.replaceSecrets {
userConfig =
cfg'.settings
// (lib.optionalAttrs isSSOEnabled {
@ -457,7 +457,7 @@ in
users.users.bazarr = {
extraGroups = [ "media" ];
};
systemd.services.bazarr.preStart = lib.shb.replaceSecrets {
systemd.services.bazarr.preStart = shb.replaceSecrets {
userConfig =
cfg'.settings
// (lib.optionalAttrs isSSOEnabled {
@ -484,7 +484,7 @@ in
users.users.readarr = {
extraGroups = [ "media" ];
};
systemd.services.readarr.preStart = lib.shb.replaceSecrets {
systemd.services.readarr.preStart = shb.replaceSecrets {
userConfig = cfg'.settings;
resultPath = "${config.services.readarr.dataDir}/config.xml";
generator = apps.readarr.settingsFormat.generate;
@ -507,7 +507,7 @@ in
users.users.lidarr = {
extraGroups = [ "media" ];
};
systemd.services.lidarr.preStart = lib.shb.replaceSecrets {
systemd.services.lidarr.preStart = shb.replaceSecrets {
userConfig =
cfg'.settings
// (lib.optionalAttrs isSSOEnabled {
@ -535,8 +535,8 @@ in
users.users.jackett = {
extraGroups = [ "media" ];
};
systemd.services.jackett.preStart = lib.shb.replaceSecrets {
userConfig = lib.shb.renameAttrName cfg'.settings "ApiKey" "APIKey";
systemd.services.jackett.preStart = shb.replaceSecrets {
userConfig = shb.renameAttrName cfg'.settings "ApiKey" "APIKey";
resultPath = "${config.services.jackett.dataDir}/ServerConfig.json";
generator = apps.jackett.settingsFormat.generate;
};

View file

@ -1,15 +1,13 @@
{
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.audiobookshelf;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
roleClaim = "audiobookshelf_groups";
@ -38,7 +36,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -103,7 +101,7 @@ in
sharedSecret = lib.mkOption {
description = "OIDC shared secret for Audiobookshelf.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "audiobookshelf";
group = "audiobookshelf";
@ -115,7 +113,7 @@ in
sharedSecretForAuthelia = lib.mkOption {
description = "OIDC shared secret for Authelia.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
ownerText = "config.shb.authelia.autheliaUser";
owner = config.shb.authelia.autheliaUser;
@ -131,7 +129,7 @@ in
Backup configuration.
'';
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "audiobookshelf";
sourceDirectories = [
"/var/lib/audiobookshelf"

View file

@ -2,14 +2,13 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.deluge;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
authGenerator =
@ -29,6 +28,7 @@ let
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -49,7 +49,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -194,7 +194,7 @@ in
lib.types.submodule {
options = {
password = lib.mkOption {
type = lib.shb.secretFileType;
type = shb.secretFileType;
description = "File containing the user password.";
};
};
@ -205,7 +205,7 @@ in
localclientPassword = lib.mkOption {
description = "Password for mandatory localclient user.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "deluge";
restartUnits = [ "deluged.service" ];
};
@ -216,7 +216,7 @@ in
description = "Password for prometheus scraper. Setting this option will activate the prometheus deluge exporter.";
type = lib.types.nullOr (
lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "deluge";
restartUnits = [
"deluged.service"
@ -273,7 +273,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "deluge";
sourceDirectories = [
cfg.dataDir
@ -361,7 +361,7 @@ in
};
systemd.services.deluged.preStart = lib.mkBefore (
lib.shb.replaceSecrets {
shb.replaceSecrets {
userConfig =
cfg.extraUsers
// {

View file

@ -3,14 +3,13 @@
options,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.forgejo;
contracts = pkgs.callPackage ../contracts { };
inherit (lib)
all
attrNames
@ -87,7 +86,7 @@ in
ssl = mkOption {
description = "Path to SSL files";
type = nullOr contracts.ssl.certs;
type = nullOr shb.contracts.ssl.certs;
default = null;
};
@ -137,7 +136,7 @@ in
adminPassword = mkOption {
description = "LDAP admin password.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "forgejo";
group = "forgejo";
@ -210,7 +209,7 @@ in
sharedSecret = mkOption {
description = "OIDC shared secret for Forgejo.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "forgejo";
group = "forgejo";
@ -222,7 +221,7 @@ in
sharedSecretForAuthelia = mkOption {
description = "OIDC shared secret for Authelia.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "authelia";
};
@ -254,7 +253,7 @@ in
password = mkOption {
description = "Forgejo admin user password.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "forgejo";
group = "forgejo";
@ -269,7 +268,7 @@ in
databasePassword = mkOption {
description = "File containing the Forgejo database password.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "forgejo";
group = "forgejo";
@ -329,7 +328,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = options.services.forgejo.user.value;
sourceDirectories = [
options.services.forgejo.dump.backupDir.value
@ -342,7 +341,7 @@ in
};
mount = mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration. This is an output option.

View file

@ -1,15 +1,13 @@
{
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.grocy;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
in
{
@ -68,7 +66,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -90,7 +88,7 @@ in
'';
readOnly = true;
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "grocy";
sourceDirectories = [
cfg.dataDir

View file

@ -1,15 +1,13 @@
{
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.hledger;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
in
{
@ -40,7 +38,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -70,7 +68,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "hledger";
sourceDirectories = [
cfg.dataDir

View file

@ -2,14 +2,13 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.home-assistant;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
ldap_auth_script_repo = pkgs.fetchFromGitHub {
@ -32,6 +31,10 @@ let
configWithSecretsIncludes = nonSecrets // (lib.attrsets.mapAttrs (k: v: "!secret ${k}") secrets);
in
{
imports = [
../../lib/module.nix
];
options.shb.home-assistant = {
enable = lib.mkEnableOption "selfhostblocks.home-assistant";
@ -49,7 +52,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -61,35 +64,35 @@ in
name = lib.mkOption {
type = lib.types.oneOf [
lib.types.str
lib.shb.secretFileType
shb.secretFileType
];
description = "Name of the Home Assistant instance.";
};
country = lib.mkOption {
type = lib.types.oneOf [
lib.types.str
lib.shb.secretFileType
shb.secretFileType
];
description = "Two letter country code where this instance is located.";
};
latitude = lib.mkOption {
type = lib.types.oneOf [
lib.types.str
lib.shb.secretFileType
shb.secretFileType
];
description = "Latitude where this instance is located.";
};
longitude = lib.mkOption {
type = lib.types.oneOf [
lib.types.str
lib.shb.secretFileType
shb.secretFileType
];
description = "Longitude where this instance is located.";
};
time_zone = lib.mkOption {
type = lib.types.oneOf [
lib.types.str
lib.shb.secretFileType
shb.secretFileType
];
description = "Timezone of this instance.";
example = "America/Los_Angeles";
@ -206,7 +209,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "hass";
# No need for backup hooks as we use an hourly automation job in home assistant directly with a cron job.
sourceDirectories = [
@ -383,10 +386,10 @@ in
fi
''
)
+ (lib.shb.replaceSecrets {
+ (shb.replaceSecrets {
userConfig = cfg.config;
resultPath = "${config.services.home-assistant.configDir}/secrets.yaml";
generator = lib.shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { });
generator = shb.replaceSecretsGeneratorAdapter (lib.generators.toYAML { });
});
systemd.tmpfiles.rules = [

View file

@ -2,14 +2,13 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.immich;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
protocol = if !(isNull cfg.ssl) then "https" else "http";
@ -76,10 +75,10 @@ let
# Use SHB's replaceSecrets function for loading secrets at runtime
configSetupScript = lib.optionalString (cfg.sso.enable || cfg.smtp != null) (
lib.shb.replaceSecrets {
shb.replaceSecrets {
userConfig = shbManagedSettings;
resultPath = configFile;
generator = lib.shb.replaceSecretsFormatAdapter (pkgs.formats.json { });
generator = shb.replaceSecretsFormatAdapter (pkgs.formats.json { });
user = "immich";
permissions = "u=r,g=,o=";
}
@ -106,6 +105,7 @@ let
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -146,7 +146,7 @@ in
ssl = mkOption {
description = "Path to SSL files";
type = nullOr contracts.ssl.certs;
type = nullOr shb.contracts.ssl.certs;
default = null;
};
@ -162,7 +162,7 @@ in
This is required for secure session management.
'';
type = nullOr (submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "immich";
restartUnits = [ "immich-server.service" ];
@ -172,7 +172,7 @@ in
};
mount = mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration. This is an output option.
@ -197,7 +197,7 @@ in
'';
default = { };
type = submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "immich";
sourceDirectories = [
dataFolder
@ -328,7 +328,7 @@ in
sharedSecret = mkOption {
description = "OIDC shared secret for Immich.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "immich";
group = "immich";
@ -340,7 +340,7 @@ in
sharedSecretForAuthelia = mkOption {
description = "OIDC shared secret for Authelia. Content must be the same as `sharedSecret` option.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "authelia";
};
@ -420,7 +420,7 @@ in
password = mkOption {
description = "File containing the password to connect to the SMTP host.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "immich";
restartUnits = [ "immich-server.service" ];

View file

@ -2,6 +2,7 @@
config,
lib,
pkgs,
shb,
...
}:
@ -10,8 +11,6 @@ let
cfg = config.shb.jellyfin;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
jellyfin-cli = pkgs.buildDotnetModule rec {
@ -83,7 +82,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = types.nullOr contracts.ssl.certs;
type = types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -107,7 +106,7 @@ in
password = lib.mkOption {
description = "Password of the default admin user.";
type = types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "jellyfin";
group = "jellyfin";
@ -160,7 +159,7 @@ in
adminPassword = lib.mkOption {
description = "LDAP admin password.";
type = types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "jellyfin";
group = "jellyfin";
@ -221,7 +220,7 @@ in
sharedSecret = lib.mkOption {
description = "OIDC shared secret for Jellyfin.";
type = types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "jellyfin";
group = "jellyfin";
@ -233,7 +232,7 @@ in
sharedSecretForAuthelia = lib.mkOption {
description = "OIDC shared secret for Authelia.";
type = types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
ownerText = "config.shb.authelia.autheliaUser";
owner = config.shb.authelia.autheliaUser;
@ -250,7 +249,7 @@ in
'';
default = { };
type = types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "jellyfin";
sourceDirectories = [
config.services.jellyfin.dataDir
@ -265,6 +264,8 @@ in
};
imports = [
../../lib/module.nix
(lib.mkRenamedOptionModule
[ "shb" "jellyfin" "adminPassword" ]
[ "shb" "jellyfin" "admin" "password" ]
@ -586,7 +587,7 @@ in
fi
ln -fs "${debugLogging}" "${config.services.jellyfin.configDir}/logging.json"
''
+ (lib.shb.replaceSecretsScript {
+ (shb.replaceSecretsScript {
file = networkConfig;
# Write permissions are needed otherwise the jellyfin-cli tool will not work correctly.
permissions = "u=rw,g=rw,o=";
@ -595,7 +596,7 @@ in
];
})
+ lib.strings.optionalString cfg.ldap.enable (
lib.shb.replaceSecretsScript {
shb.replaceSecretsScript {
file = ldapConfig;
resultPath = "${config.services.jellyfin.dataDir}/plugins/configurations/LDAP-Auth.xml";
replacements = [
@ -607,7 +608,7 @@ in
}
)
+ lib.strings.optionalString cfg.sso.enable (
lib.shb.replaceSecretsScript {
shb.replaceSecretsScript {
file = ssoConfig;
resultPath = "${config.services.jellyfin.dataDir}/plugins/configurations/SSO-Auth.xml";
replacements = [
@ -619,7 +620,7 @@ in
}
)
+ lib.strings.optionalString cfg.sso.enable (
lib.shb.replaceSecretsScript {
shb.replaceSecretsScript {
file = brandingConfig;
resultPath = "${config.services.jellyfin.dataDir}/config/branding.xml";
replacements = [

View file

@ -1,16 +1,15 @@
{
config,
lib,
pkgs,
shb,
...
}:
let
cfg = config.shb.karakeep;
contracts = pkgs.callPackage ../contracts { };
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -31,7 +30,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -106,7 +105,7 @@ in
sharedSecret = lib.mkOption {
description = "OIDC shared secret for Karakeep.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "karakeep";
# These services are the ones relying on the environment file containing the secrets.
restartUnits = [
@ -121,7 +120,7 @@ in
sharedSecretForAuthelia = lib.mkOption {
description = "OIDC shared secret for Authelia. Must be the same as `sharedSecret`";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
ownerText = "config.shb.authelia.autheliaUser";
owner = config.shb.authelia.autheliaUser;
@ -138,7 +137,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "karakeep";
sourceDirectories = [
"/var/lib/karakeep"
@ -150,7 +149,7 @@ in
nextauthSecret = lib.mkOption {
description = "NextAuth secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "karakeep";
# These services are the ones relying on the environment file containing the secrets.
restartUnits = [
@ -165,7 +164,7 @@ in
meilisearchMasterKey = lib.mkOption {
description = "Master key used to secure communication with Meilisearch.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "karakeep";
# These services are the ones relying on the environment file containing the secrets.
restartUnits = [
@ -204,7 +203,7 @@ in
# instead of using the value from the cfg.meilisearchMasterKey option.
systemd.services.karakeep-init = {
script = lib.mkForce (
(lib.shb.replaceSecrets {
(shb.replaceSecrets {
userConfig = {
MEILI_MASTER_KEY.source = cfg.meilisearchMasterKey.result.path;
NEXTAUTH_SECRET.source = cfg.nextauthSecret.result.path;
@ -213,7 +212,7 @@ in
OAUTH_CLIENT_SECRET.source = cfg.sso.sharedSecret.result.path;
};
resultPath = "/var/lib/karakeep/settings.env";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
})
+ ''
export DATA_DIR="$STATE_DIRECTORY"

View file

@ -2,6 +2,7 @@
config,
pkgs,
lib,
shb,
...
}:
@ -18,8 +19,6 @@ let
else
"${cfg.apps.sso.endpoint}:${toString cfg.apps.sso.port}";
contracts = pkgs.callPackage ../contracts { };
nextcloudPkg = builtins.getAttr ("nextcloud" + builtins.toString cfg.version) pkgs;
nextcloudApps =
(builtins.getAttr ("nextcloud" + builtins.toString cfg.version + "Packages") pkgs).apps;
@ -27,6 +26,10 @@ let
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
in
{
imports = [
../../lib/module.nix
];
options.shb.nextcloud = {
enable = lib.mkEnableOption "selfhostblocks.nextcloud-server";
@ -68,7 +71,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -110,7 +113,7 @@ in
adminPass = lib.mkOption {
description = "Nextcloud admin password.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
@ -251,7 +254,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -424,7 +427,7 @@ in
adminPassword = lib.mkOption {
description = "LDAP server admin password.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
@ -505,7 +508,7 @@ in
secret = lib.mkOption {
description = "OIDC shared secret.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
@ -516,7 +519,7 @@ in
secretForAuthelia = lib.mkOption {
description = "OIDC shared secret. Content must be the same as `secretFile` option.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "authelia";
};
@ -625,7 +628,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "nextcloud";
sourceDirectories = [
cfg.dataDir

View file

@ -2,13 +2,12 @@
config,
lib,
pkgs,
shb,
...
}:
let
cfg = config.shb.open-webui;
contracts = pkgs.callPackage ../contracts { };
roleClaim = "openwebui_groups";
oauthScopes = [
"openid"
@ -20,6 +19,7 @@ let
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -40,7 +40,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -124,7 +124,7 @@ in
sharedSecret = lib.mkOption {
description = "OIDC shared secret for Open-WebUI.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
owner = "open-webui";
restartUnits = [ "open-webui.service" ];
};
@ -134,7 +134,7 @@ in
sharedSecretForAuthelia = lib.mkOption {
description = "OIDC shared secret for Authelia. Must be the same as `sharedSecret`";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
ownerText = "config.shb.authelia.autheliaUser";
owner = config.shb.authelia.autheliaUser;
@ -151,7 +151,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "open-webui";
sourceDirectories = [
config.services.open-webui.stateDir
@ -270,12 +270,12 @@ in
"d '/run/open-webui' 0750 root root - -"
];
systemd.services.open-webui-pre = {
script = lib.shb.replaceSecrets {
script = shb.replaceSecrets {
userConfig = {
OAUTH_CLIENT_SECRET.source = cfg.sso.sharedSecret.result.path;
};
resultPath = "/run/open-webui/secrets.env";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
};
serviceConfig.Type = "oneshot";
wantedBy = [ "multi-user.target" ];

View file

@ -2,12 +2,12 @@
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.paperless;
contracts = pkgs.callPackage ../contracts { };
dataFolder = cfg.dataDir;
fqdn = "${cfg.subdomain}.${cfg.domain}";
protocol = if !(isNull cfg.ssl) then "https" else "http";
@ -48,7 +48,7 @@ let
source = cfg.sso.sharedSecret.result.path;
}
];
replaceSecretsScript = lib.shb.replaceSecretsScript {
replaceSecretsScript = shb.replaceSecretsScript {
file = ssoClientSettingsFile;
resultPath = "/run/paperless/paperless-sso-client.env";
inherit replacements;
@ -77,6 +77,7 @@ let
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -117,7 +118,7 @@ in
ssl = mkOption {
description = "Path to SSL files";
type = nullOr contracts.ssl.certs;
type = nullOr shb.contracts.ssl.certs;
default = null;
};
@ -152,7 +153,7 @@ in
adminPassword = mkOption {
description = "Secret containing the superuser (admin) password.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "paperless";
group = "paperless";
@ -208,7 +209,7 @@ in
};
mount = mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration. This is an output option.
@ -233,7 +234,7 @@ in
'';
default = { };
type = submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "paperless";
sourceDirectories = [
dataFolder
@ -314,7 +315,7 @@ in
sharedSecret = mkOption {
description = "OIDC shared secret for paperless.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "paperless";
group = "paperless";
@ -326,7 +327,7 @@ in
sharedSecretForAuthelia = mkOption {
description = "OIDC shared secret for Authelia. Content must be the same as `sharedSecret` option.";
type = submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "authelia";
};

View file

@ -2,17 +2,17 @@
config,
lib,
pkgs,
shb,
...
}:
let
cfg = config.shb.pinchflat;
inherit (lib) types;
contracts = pkgs.callPackage ../contracts { };
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -33,7 +33,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -50,7 +50,7 @@ in
Make sure the secret is at least 64 characters long.
'';
type = types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
restartUnits = [ "pinchflat.service" ];
};
};
@ -64,7 +64,7 @@ in
timeZone = lib.mkOption {
type = lib.types.oneOf [
lib.types.str
lib.shb.secretFileType
shb.secretFileType
];
description = "Timezone of this instance.";
example = "America/Los_Angeles";
@ -123,7 +123,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "pinchflat";
sourceDirectories = [
cfg.mediaDir
@ -158,13 +158,13 @@ in
};
systemd.services.pinchflat-pre = {
script = lib.shb.replaceSecrets {
script = shb.replaceSecrets {
userConfig = {
SECRET_KEY_BASE.source = cfg.secretKeyBase.result.path;
# TZ = cfg.secretKeyBase.result.path; # Uncomment when PR is merged.
};
resultPath = "/run/pinchflat/secrets.env";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
};
serviceConfig.Type = "oneshot";
wantedBy = [ "multi-user.target" ];

View file

@ -1,15 +1,13 @@
{
config,
pkgs,
lib,
shb,
...
}:
let
cfg = config.shb.vaultwarden;
contracts = pkgs.callPackage ../contracts { };
fqdn = "${cfg.subdomain}.${cfg.domain}";
dataFolder =
@ -20,6 +18,7 @@ let
in
{
imports = [
../../lib/module.nix
../blocks/nginx.nix
];
@ -40,7 +39,7 @@ in
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
type = lib.types.nullOr shb.contracts.ssl.certs;
default = null;
};
@ -60,7 +59,7 @@ in
databasePassword = lib.mkOption {
description = "File containing the Vaultwarden database password.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0440";
owner = "vaultwarden";
group = "postgres";
@ -118,7 +117,7 @@ in
password = lib.mkOption {
description = "File containing the password to connect to the SMTP host.";
type = lib.types.submodule {
options = contracts.secret.mkRequester {
options = shb.contracts.secret.mkRequester {
mode = "0400";
owner = "vaultwarden";
restartUnits = [ "vaultwarden.service" ];
@ -131,7 +130,7 @@ in
};
mount = lib.mkOption {
type = contracts.mount;
type = shb.contracts.mount;
description = ''
Mount configuration. This is an output option.
@ -156,7 +155,7 @@ in
'';
default = { };
type = lib.types.submodule {
options = contracts.backup.mkRequester {
options = shb.contracts.backup.mkRequester {
user = "vaultwarden";
sourceDirectories = [
dataFolder
@ -210,7 +209,7 @@ in
];
# Needed to be able to write template config.
systemd.services.vaultwarden.serviceConfig.ProtectHome = lib.mkForce false;
systemd.services.vaultwarden.preStart = lib.shb.replaceSecrets {
systemd.services.vaultwarden.preStart = shb.replaceSecrets {
userConfig = {
DATABASE_URL.source = cfg.databasePassword.result.path;
DATABASE_URL.transform = v: "postgresql://vaultwarden:${v}@127.0.0.1:5432/vaultwarden";
@ -219,7 +218,7 @@ in
SMTP_PASSWORD.source = cfg.smtp.password.result.path;
};
resultPath = "${dataFolder}/vaultwarden.env";
generator = lib.shb.toEnvVar;
generator = shb.toEnvVar;
};
shb.nginx.vhosts = [

View file

@ -1,11 +1,11 @@
{ pkgs, lib, ... }:
{ pkgs, shb, ... }:
let
pkgs' = pkgs;
ldapAdminPassword = "ldapAdminPassword";
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "authelia-basic";
nodes.machine =

View file

@ -1,15 +1,15 @@
{ lib, ... }:
{ shb, ... }:
let
commonTest =
user:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "borgbackup_backupAndRestore_${user}";
nodes.machine =
{ config, ... }:
{
imports = [
lib.shb.baseImports
shb.test.baseImports
../../modules/blocks/hardcodedsecret.nix
../../modules/blocks/borgbackup.nix

View file

@ -1,4 +1,9 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
shb,
...
}:
let
pkgs' = pkgs;
in
@ -22,39 +27,39 @@ in
d.d = "not secret D";
};
configWithTemplates = lib.shb.withReplacements userConfig;
configWithTemplates = shb.withReplacements userConfig;
nonSecretConfigFile = pkgs.writeText "config.yaml.template" (
lib.generators.toJSON { } configWithTemplates
);
replacements = lib.shb.getReplacements userConfig;
replacements = shb.getReplacements userConfig;
replaceInTemplate = lib.shb.replaceSecretsScript {
replaceInTemplate = shb.replaceSecretsScript {
file = nonSecretConfigFile;
resultPath = "/var/lib/config.yaml";
inherit replacements;
};
replaceInTemplateJSON = lib.shb.replaceSecrets {
replaceInTemplateJSON = shb.replaceSecrets {
inherit userConfig;
resultPath = "/var/lib/config.json";
generator = lib.shb.replaceSecretsFormatAdapter (pkgs.formats.json { });
generator = shb.replaceSecretsFormatAdapter (pkgs.formats.json { });
};
replaceInTemplateJSONGen = lib.shb.replaceSecrets {
replaceInTemplateJSONGen = shb.replaceSecrets {
inherit userConfig;
resultPath = "/var/lib/config_gen.json";
generator = lib.shb.replaceSecretsGeneratorAdapter (lib.generators.toJSON { });
generator = shb.replaceSecretsGeneratorAdapter (lib.generators.toJSON { });
};
replaceInTemplateXML = lib.shb.replaceSecrets {
replaceInTemplateXML = shb.replaceSecrets {
inherit userConfig;
resultPath = "/var/lib/config.xml";
generator = lib.shb.replaceSecretsFormatAdapter (lib.shb.formatXML { enclosingRoot = "Root"; });
generator = shb.replaceSecretsFormatAdapter (shb.formatXML { enclosingRoot = "Root"; });
};
in
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "lib-template";
nodes.machine =
{ config, pkgs, ... }:

View file

@ -1,4 +1,9 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
shb,
...
}:
let
pkgs' = pkgs;
@ -6,7 +11,7 @@ let
charliePassword = "CharliePassword";
in
{
auth = lib.shb.runNixOSTest {
auth = shb.test.runNixOSTest {
name = "ldap-auth";
nodes.server =

View file

@ -1,4 +1,9 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
shb,
...
}:
let
serve =
port: text:
@ -45,7 +50,7 @@ let
);
in
{
default = lib.shb.runNixOSTest {
default = shb.test.runNixOSTest {
name = "mitmdump-default";
nodes.machine =

View file

@ -1,9 +1,9 @@
{ lib, ... }:
{ lib, shb, ... }:
let
password = "securepw";
oidcSecret = "oidcSecret";
commonTestScript = lib.shb.accessScript {
commonTestScript = shb.test.accessScript {
hasSSL = { node, ... }: !(isNull node.config.shb.monitoring.ssl);
waitForServices =
{ ... }:
@ -21,7 +21,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/monitoring.nix
];
@ -71,8 +71,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
subdomain = "g";
@ -161,7 +161,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "monitoring_basic";
nodes.server = {
@ -175,13 +175,13 @@ in
testScript = commonTestScript;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "monitoring_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -191,7 +191,7 @@ in
testScript = commonTestScript;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "monitoring_sso";
nodes.client = {
@ -206,11 +206,11 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
shb.test.ldap
ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];

View file

@ -1,9 +1,14 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
shb,
...
}:
let
pkgs' = pkgs;
in
{
peerWithoutUser = lib.shb.runNixOSTest {
peerWithoutUser = shb.test.runNixOSTest {
name = "postgresql-peerWithoutUser";
nodes.machine =
@ -44,7 +49,7 @@ in
'';
};
peerAuth = lib.shb.runNixOSTest {
peerAuth = shb.test.runNixOSTest {
name = "postgresql-peerAuth";
nodes.machine =
@ -98,7 +103,7 @@ in
'';
};
tcpIPWithoutPasswordAuth = lib.shb.runNixOSTest {
tcpIPWithoutPasswordAuth = shb.test.runNixOSTest {
name = "postgresql-tcpIpWithoutPasswordAuth";
nodes.machine =
@ -140,7 +145,7 @@ in
'';
};
tcpIPPasswordAuth = lib.shb.runNixOSTest {
tcpIPPasswordAuth = shb.test.runNixOSTest {
name = "postgresql-tcpIPPasswordAuth";
nodes.machine =

View file

@ -1,15 +1,15 @@
{ lib, ... }:
{ lib, shb, ... }:
let
commonTest =
user:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "restic_backupAndRestore_${user}";
nodes.machine =
{ config, ... }:
{
imports = [
lib.shb.baseImports
shb.test.baseImports
../../modules/blocks/hardcodedsecret.nix
../../modules/blocks/restic.nix

View file

@ -1,9 +1,9 @@
{ pkgs, lib, ... }:
{ pkgs, shb, ... }:
let
pkgs' = pkgs;
in
{
test = lib.shb.runNixOSTest {
test = shb.test.runNixOSTest {
name = "ssl-test";
nodes.server =

View file

@ -1,9 +1,6 @@
{ pkgs, ... }:
let
contracts = pkgs.callPackage ../../modules/contracts { };
in
{ shb, ... }:
{
restic_root = contracts.test.backup {
restic_root = shb.contracts.test.backup {
name = "restic_root";
username = "root";
providerRoot = [
@ -38,7 +35,7 @@ in
};
};
restic_nonroot = contracts.test.backup {
restic_nonroot = shb.contracts.test.backup {
name = "restic_nonroot";
username = "me";
providerRoot = [
@ -73,7 +70,7 @@ in
};
};
borgbackup_root = contracts.test.backup {
borgbackup_root = shb.contracts.test.backup {
name = "borgbackup_root";
username = "root";
providerRoot = [
@ -108,7 +105,7 @@ in
};
};
borgbackup_nonroot = contracts.test.backup {
borgbackup_nonroot = shb.contracts.test.backup {
name = "borgbackup_nonroot";
username = "me";
providerRoot = [

View file

@ -1,9 +1,6 @@
{ pkgs, ... }:
let
contracts = pkgs.callPackage ../../modules/contracts { };
in
{ shb, ... }:
{
restic_postgres = contracts.test.databasebackup {
restic_postgres = shb.contracts.test.databasebackup {
name = "restic_postgres";
requesterRoot = [
"shb"
@ -49,7 +46,7 @@ in
};
};
borgbackup_postgres = contracts.test.databasebackup {
borgbackup_postgres = shb.contracts.test.databasebackup {
name = "borgbackup_postgres";
requesterRoot = [
"shb"

View file

@ -1,9 +1,6 @@
{ pkgs, ... }:
let
contracts = pkgs.callPackage ../../modules/contracts { };
in
{ shb, ... }:
{
hardcoded_root_root = contracts.test.secret {
hardcoded_root_root = shb.contracts.test.secret {
name = "hardcoded";
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
configRoot = [
@ -15,7 +12,7 @@ in
};
};
hardcoded_user_group = contracts.test.secret {
hardcoded_user_group = shb.contracts.test.secret {
name = "hardcoded";
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
configRoot = [
@ -31,7 +28,7 @@ in
};
# TODO: how to do this?
# sops = contracts.test.secret {
# sops = shb.contracts.test.secret {
# name = "sops";
# configRoot = cfg: name: cfg.sops.secrets.${name};
# createContent = content: {

View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, shb, ... }:
let
inherit (lib) nameValuePair;
in
@ -34,7 +34,7 @@ in
c.other = "other";
};
in
lib.shb.withReplacements (
shb.withReplacements (
item
// {
nestedAttr = item;
@ -70,7 +70,7 @@ in
c.other = "other";
};
in
lib.shb.withReplacements [
shb.withReplacements [
item
item
[ item ]
@ -101,8 +101,8 @@ in
c.other = "other";
};
in
map lib.shb.genReplacement (
lib.shb.getReplacements (
map shb.genReplacement (
shb.getReplacements (
item
// {
nestedAttr = item;
@ -123,7 +123,7 @@ in
};
};
expr = lib.shb.parseXML ''
expr = shb.parseXML ''
<a>
<b>1</b>
<c><d>1</d></c>

View file

@ -1,4 +1,9 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
shb,
...
}:
let
healthUrl = "/health";
loginUrl = "/UI/Login";
@ -6,7 +11,7 @@ let
# TODO: Test login
commonTestScript =
appname: cfgPathFn:
lib.shb.mkScripts {
shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.arr.${appname}.ssl);
waitForServices =
{ ... }:
@ -60,7 +65,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/arr.nix
];
@ -81,8 +86,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
@ -106,7 +111,7 @@ let
basicTest =
appname: cfgPathFn:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "arr_${appname}_basic";
nodes.client = {
@ -125,7 +130,7 @@ let
backupTest =
appname: cfgPathFn:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "arr_${appname}_backup";
nodes.server =
@ -133,7 +138,7 @@ let
{
imports = [
(basic appname)
(lib.shb.backup config.shb.arr.${appname}.backup)
(shb.test.backup config.shb.arr.${appname}.backup)
];
};
@ -153,7 +158,7 @@ let
httpsTest =
appname: cfgPathFn:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "arr_${appname}_https";
nodes.server =
@ -161,7 +166,7 @@ let
{
imports = [
(basic appname)
lib.shb.certs
shb.test.certs
(https appname)
];
};
@ -182,7 +187,7 @@ let
ssoTest =
appname: cfgPathFn:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "arr_${appname}_sso";
nodes.server =
@ -190,10 +195,10 @@ let
{
imports = [
(basic appname)
lib.shb.certs
shb.test.certs
(https appname)
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
(sso appname)
];
};

View file

@ -1,6 +1,6 @@
{ lib, ... }:
{ shb, ... }:
let
commonTestScript = lib.shb.accessScript {
commonTestScript = shb.test.accessScript {
hasSSL = { node, ... }: !(isNull node.config.shb.audiobookshelf.ssl);
waitForServices =
{ ... }:
@ -22,7 +22,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/audiobookshelf.nix
];
@ -39,8 +39,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -104,7 +104,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "audiobookshelf-basic";
nodes.client = {
@ -122,13 +122,13 @@ in
testScript = commonTestScript;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "audiobookshelf-https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -138,7 +138,7 @@ in
testScript = commonTestScript;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "audiobookshelf-sso";
nodes.server =
@ -146,10 +146,10 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,6 +1,11 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
shb,
...
}:
let
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.deluge.ssl);
waitForServices =
{ ... }:
@ -76,7 +81,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/deluge.nix
];
@ -109,8 +114,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
subdomain = "d";
@ -167,7 +172,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "deluge_basic";
nodes.client = {
@ -184,7 +189,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "deluge_backup";
nodes.server =
@ -192,7 +197,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.deluge.backup)
(shb.test.backup config.shb.deluge.backup)
];
};
@ -201,13 +206,13 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "deluge_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -217,7 +222,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "deluge_sso";
nodes.server =
@ -225,10 +230,10 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};
@ -240,13 +245,13 @@ in
};
};
prometheus = lib.shb.runNixOSTest {
prometheus = shb.test.runNixOSTest {
name = "deluge_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
prometheus
];

View file

@ -1,8 +1,8 @@
{ lib, ... }:
{ shb, ... }:
let
adminPassword = "AdminPassword";
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.forgejo.ssl);
waitForServices =
{ ... }:
@ -27,7 +27,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/forgejo.nix
];
@ -79,8 +79,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
subdomain = "f";
@ -182,7 +182,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "forgejo_basic";
nodes.client = {
@ -199,7 +199,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "forgejo_backup";
nodes.server =
@ -207,7 +207,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.forgejo.backup)
(shb.test.backup config.shb.forgejo.backup)
];
};
@ -216,13 +216,13 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "forgejo_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -232,13 +232,13 @@ in
testScript = commonTestScript.access;
};
ldap = lib.shb.runNixOSTest {
ldap = shb.test.runNixOSTest {
name = "forgejo_ldap";
nodes.server = {
imports = [
basic
lib.shb.ldap
shb.test.ldap
ldap
];
};
@ -249,8 +249,8 @@ in
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
@ -319,7 +319,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "forgejo_sso";
nodes.server =
@ -327,10 +327,10 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,6 +1,6 @@
{ pkgs, lib, ... }:
{ shb, ... }:
let
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.grocy.ssl);
waitForServices =
{ ... }:
@ -19,7 +19,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/grocy.nix
];
@ -37,8 +37,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -81,7 +81,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "grocy_basic";
nodes.client = {
@ -98,13 +98,13 @@ in
testScript = commonTestScript.access;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "grocy_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};

View file

@ -1,6 +1,6 @@
{ lib, ... }:
{ shb, ... }:
let
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.hledger.ssl);
waitForServices =
{ ... }:
@ -14,7 +14,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/hledger.nix
];
@ -32,8 +32,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
@ -69,7 +69,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "hledger_basic";
nodes.client = {
@ -87,7 +87,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "hledger_backup";
nodes.server =
@ -95,7 +95,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.hledger.backup)
(shb.test.backup config.shb.hledger.backup)
];
};
@ -104,13 +104,13 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "hledger_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -120,7 +120,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "hledger_sso";
nodes.server =
@ -128,10 +128,10 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,6 +1,6 @@
{ pkgs, lib, ... }:
{ pkgs, shb, ... }:
let
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.home-assistant.ssl);
waitForServices =
{ ... }:
@ -19,7 +19,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/home-assistant.nix
];
@ -46,8 +46,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -165,7 +165,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "homeassistant_basic";
nodes.client = {
@ -182,7 +182,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "homeassistant_backup";
nodes.server =
@ -190,7 +190,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.home-assistant.backup)
(shb.test.backup config.shb.home-assistant.backup)
];
};
@ -199,13 +199,13 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "homeassistant_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -215,13 +215,13 @@ in
testScript = commonTestScript.access;
};
ldap = lib.shb.runNixOSTest {
ldap = shb.test.runNixOSTest {
name = "homeassistant_ldap";
nodes.server = {
imports = [
basic
lib.shb.ldap
shb.test.ldap
ldap
];
};
@ -233,16 +233,16 @@ in
# Not yet supported
#
# sso = lib.shb.runNixOSTest {
# sso = shb.test.runNixOSTest {
# name = "vaultwarden_sso";
#
# nodes.server = lib.mkMerge [
# basic
# (lib.shb.certs domain)
# (shb.certs domain)
# https
# ldap
# (lib.shb.ldap domain pkgs')
# (lib.shb.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
# (shb.ldap domain pkgs')
# (shb.test.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
# sso
# ];
#
@ -251,7 +251,7 @@ in
# testScript = commonTestScript.access;
# };
voice = lib.shb.runNixOSTest {
voice = shb.test.runNixOSTest {
name = "homeassistant_voice";
nodes.server = {

View file

@ -1,9 +1,13 @@
{ pkgs, lib }:
{
pkgs,
lib,
shb,
}:
let
subdomain = "i";
domain = "example.com";
commonTestScript = lib.shb.accessScript {
commonTestScript = shb.test.accessScript {
hasSSL = { node, ... }: !(isNull node.config.shb.immich.ssl);
waitForServices =
{ ... }:
@ -25,7 +29,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/immich.nix
];
@ -60,7 +64,7 @@ let
{
imports = [
base
lib.shb.certs
shb.test.certs
];
test.hasSSL = true;
@ -72,7 +76,7 @@ let
{
imports = [
https
(lib.shb.backup config.shb.immich.backup)
(shb.test.backup config.shb.immich.backup)
];
};
@ -81,8 +85,8 @@ let
{
imports = [
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
];
shb.immich.sso = {
@ -157,7 +161,7 @@ in
nodes.client = { };
testScript =
(lib.shb.mkScripts {
(shb.test.mkScripts {
hasSSL = args: !(isNull args.node.config.shb.immich.ssl);
waitForServices = args: [
"immich-server.service"

View file

@ -1,8 +1,8 @@
{ pkgs, lib, ... }:
{ pkgs, shb, ... }:
let
port = 9096;
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.jellyfin.ssl);
waitForServices =
{ ... }:
@ -47,7 +47,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/jellyfin.nix
];
test = {
@ -79,7 +79,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.clientLoginModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -171,7 +171,7 @@ let
jellyfinTest =
name:
{ nodes, testScript }:
lib.shb.runNixOSTest {
shb.test.runNixOSTest {
name = "jellyfin_${name}";
interactive.nodes.server = {
@ -206,7 +206,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.jellyfin.backup)
(shb.test.backup config.shb.jellyfin.backup)
];
};
@ -219,7 +219,7 @@ in
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -228,7 +228,7 @@ in
{ config, lib, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
clientLogin
];
};
@ -240,7 +240,7 @@ in
nodes.server = {
imports = [
basic
lib.shb.ldap
shb.test.ldap
ldap
];
};
@ -256,10 +256,10 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,9 +1,9 @@
{ lib, ... }:
{ lib, shb, ... }:
let
nextauthSecret = "nextauthSecret";
oidcSecret = "oidcSecret";
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.karakeep.ssl);
waitForServices =
{ ... }:
@ -25,7 +25,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/karakeep.nix
];
@ -77,8 +77,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
subdomain = "k";
@ -171,7 +171,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "karakeep_basic";
nodes.client = { };
@ -184,7 +184,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "karakeep_backup";
nodes.server =
@ -192,7 +192,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.karakeep.backup)
(shb.test.backup config.shb.karakeep.backup)
];
};
@ -201,14 +201,14 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "karakeep_https";
nodes.client = { };
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -216,7 +216,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "karakeep_sso";
nodes.client = {
@ -231,11 +231,11 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
shb.test.ldap
ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];

View file

@ -1,10 +1,10 @@
{ lib, ... }:
{ lib, shb, ... }:
let
adminUser = "root";
adminPass = "rootpw";
oidcSecret = "oidcSecret";
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.nextcloud.ssl);
waitForServices =
{ ... }:
@ -102,7 +102,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/nextcloud-server.nix
];
@ -136,8 +136,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -176,8 +176,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -231,8 +231,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
@ -444,7 +444,7 @@ let
'';
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "nextcloud_basic";
nodes.client = {
@ -461,7 +461,7 @@ in
testScript = commonTestScript.access;
};
cron = lib.shb.runNixOSTest {
cron = shb.test.runNixOSTest {
name = "nextcloud_cron";
nodes.server = {
@ -504,7 +504,7 @@ in
};
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "nextcloud_backup";
nodes.server =
@ -512,7 +512,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.nextcloud.backup)
(shb.test.backup config.shb.nextcloud.backup)
];
};
@ -521,13 +521,13 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "nextcloud_https";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -538,13 +538,13 @@ in
testScript = commonTestScript.access;
};
previewGenerator = lib.shb.runNixOSTest {
previewGenerator = shb.test.runNixOSTest {
name = "nextcloud_previewGenerator";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
previewgenerator
];
@ -555,13 +555,13 @@ in
testScript = commonTestScript.access;
};
externalStorage = lib.shb.runNixOSTest {
externalStorage = shb.test.runNixOSTest {
name = "nextcloud_externalStorage";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
externalstorage
];
@ -575,13 +575,13 @@ in
# TODO: fix memories app
# See https://github.com/ibizaman/selfhostblocks/issues/476
# memories = lib.shb.runNixOSTest {
# memories = shb.test.runNixOSTest {
# name = "nextcloud_memories";
# nodes.server = {
# imports = [
# basic
# lib.shb.certs
# shb.test.certs
# https
# memories
# ];
@ -592,13 +592,13 @@ in
# testScript = commonTestScript.access;
# };
recognize = lib.shb.runNixOSTest {
recognize = shb.test.runNixOSTest {
name = "nextcloud_recognize";
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
recognize
];
@ -609,7 +609,7 @@ in
testScript = commonTestScript.access;
};
ldap = lib.shb.runNixOSTest {
ldap = shb.test.runNixOSTest {
name = "nextcloud_ldap";
nodes.server =
@ -617,9 +617,9 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
shb.test.ldap
ldap
];
};
@ -633,7 +633,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "nextcloud_sso";
nodes.server =
@ -641,10 +641,10 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
(
{ config, ... }:
@ -674,7 +674,7 @@ in
testScript = commonTestScript.access;
};
prometheus = lib.shb.runNixOSTest {
prometheus = shb.test.runNixOSTest {
name = "nextcloud_prometheus";
nodes.server =

View file

@ -1,8 +1,8 @@
{ lib, ... }:
{ shb, ... }:
let
oidcSecret = "oidcSecret";
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.open-webui.ssl);
waitForServices =
{ ... }:
@ -21,7 +21,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/open-webui.nix
];
@ -68,8 +68,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
virtualisation.memorySize = 4096;
test = {
@ -163,7 +163,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "open-webui_basic";
nodes.client = { };
@ -176,7 +176,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "open-webui_backup";
nodes.server =
@ -184,7 +184,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.open-webui.backup)
(shb.test.backup config.shb.open-webui.backup)
];
};
@ -193,14 +193,14 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "open-webui_https";
nodes.client = { };
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -208,7 +208,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "open-webui_sso";
nodes.client = {
@ -221,11 +221,11 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
shb.test.ldap
ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,9 +1,13 @@
{ pkgs, lib }:
{
pkgs,
lib,
shb,
}:
let
subdomain = "p";
domain = "example.com";
commonTestScript = lib.shb.accessScript {
commonTestScript = shb.test.accessScript {
hasSSL = { node, ... }: !(isNull node.config.shb.paperless.ssl);
waitForServices =
{ ... }:
@ -24,7 +28,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/services/paperless.nix
];
@ -57,7 +61,7 @@ let
{
imports = [
base
lib.shb.certs
shb.test.certs
];
test.hasSSL = true;
@ -69,7 +73,7 @@ let
{
imports = [
https
(lib.shb.backup config.shb.paperless.backup)
(shb.test.backup config.shb.paperless.backup)
];
};
@ -78,8 +82,8 @@ let
{
imports = [
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
];
shb.paperless.sso = {
@ -163,7 +167,7 @@ in
nodes.client = { };
testScript =
(lib.shb.mkScripts {
(shb.test.mkScripts {
hasSSL = args: !(isNull args.node.config.shb.paperless.ssl);
waitForServices = args: [
"paperless-web.service"

View file

@ -1,6 +1,6 @@
{ pkgs, lib, ... }:
{ pkgs, shb, ... }:
let
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.pinchflat.ssl);
waitForServices =
{ ... }:
@ -19,7 +19,7 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/pinchflat.nix
];
@ -55,8 +55,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
subdomain = "p";
@ -101,8 +101,8 @@ let
{ config, ... }:
{
imports = [
lib.shb.baseModule
lib.shb.clientLoginModule
shb.test.baseModule
shb.test.clientLoginModule
];
test = {
subdomain = "p";
@ -176,7 +176,7 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "pinchflat_basic";
nodes.client = {
@ -193,7 +193,7 @@ in
testScript = commonTestScript.access;
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "pinchflat_backup";
nodes.server =
@ -201,7 +201,7 @@ in
{
imports = [
basic
(lib.shb.backup config.shb.pinchflat.backup)
(shb.test.backup config.shb.pinchflat.backup)
];
};
@ -210,7 +210,7 @@ in
testScript = commonTestScript.backup;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "pinchflat_https";
nodes.client = {
@ -221,7 +221,7 @@ in
nodes.server = {
imports = [
basic
lib.shb.certs
shb.test.certs
https
];
};
@ -229,7 +229,7 @@ in
testScript = commonTestScript.access;
};
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "pinchflat_sso";
nodes.client = {
@ -242,11 +242,11 @@ in
{
imports = [
basic
lib.shb.certs
shb.test.certs
https
lib.shb.ldap
shb.test.ldap
ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,6 +1,6 @@
{ lib, ... }:
{ shb, ... }:
let
commonTestScript = lib.shb.mkScripts {
commonTestScript = shb.test.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.vaultwarden.ssl);
waitForServices =
{ ... }:
@ -97,12 +97,12 @@ let
};
in
{
basic = lib.shb.runNixOSTest {
basic = shb.test.runNixOSTest {
name = "vaultwarden_basic";
nodes.server = {
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/vaultwarden.nix
basic
@ -114,15 +114,15 @@ in
testScript = commonTestScript.access;
};
https = lib.shb.runNixOSTest {
https = shb.test.runNixOSTest {
name = "vaultwarden_https";
nodes.server = {
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/vaultwarden.nix
lib.shb.certs
shb.test.certs
basic
https
];
@ -135,11 +135,11 @@ in
# Not yet supported
#
# ldap = lib.shb.runNixOSTest {
# ldap = shb.test.runNixOSTest {
# name = "vaultwarden_ldap";
#
# nodes.server = lib.mkMerge [
# lib.shb.baseModule
# shb.test.baseModule
# ../../modules/blocks/hardcodedsecret.nix
# ../../modules/services/vaultwarden.nix
# basic
@ -151,21 +151,21 @@ in
# testScript = commonTestScript.access;
# };
sso = lib.shb.runNixOSTest {
sso = shb.test.runNixOSTest {
name = "vaultwarden_sso";
nodes.server =
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/vaultwarden.nix
lib.shb.certs
shb.test.certs
basic
https
lib.shb.ldap
(lib.shb.sso config.shb.certs.certs.selfsigned.n)
shb.test.ldap
(shb.test.sso config.shb.certs.certs.selfsigned.n)
sso
];
};
@ -196,18 +196,18 @@ in
};
};
backup = lib.shb.runNixOSTest {
backup = shb.test.runNixOSTest {
name = "vaultwarden_backup";
nodes.server =
{ config, ... }:
{
imports = [
lib.shb.baseModule
shb.test.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/vaultwarden.nix
basic
(lib.shb.backup config.shb.vaultwarden.backup)
(shb.test.backup config.shb.vaultwarden.backup)
];
};