nixfiles/hosts/tablet/secrets.nix
2022-11-11 20:53:17 +00:00

55 lines
2.1 KiB
Nix

{ pkgs, ... }:
let secrets-db = (import ./secrets-db.nix { });
in {
systemd.tmpfiles.rules = [ "d /secrets - root root" ];
environment.systemPackages = [
(pkgs.writeShellScriptBin "init-secrets" ''
set -e -o pipefail
VAULT_ADDR_DEFAULT="https://vault.owo.monster"
[ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
export PATH=$PATH:${pkgs.vault}/bin
export PATH=$PATH:${pkgs.jq}/bin
kv_get() {
vault kv get -format json $1
}
simple_get() {
kv_get $1 | jq .data.data$2 -r
}
file=${secrets-db.music_stream_password.path}
echo $file
simple_get "/api-keys/music-stream" .password > $file
chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file
chmod ${secrets-db.music_stream_password.permissions} $file
file=${secrets-db.wg_priv.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file
chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
chmod ${secrets-db.wg_priv.permissions} $file
file=${secrets-db.wg_preshared_hetzner-vm.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file
chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
file=${secrets-db.wg_preshared_vault.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file
chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
chmod ${secrets-db.wg_preshared_vault.permissions} $file
file=${secrets-db.wg_preshared_storage.path}
echo $file
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file
chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
chmod ${secrets-db.wg_preshared_storage.permissions} $file
'')
];
}