44 lines
1.1 KiB
Nix
Executable File
44 lines
1.1 KiB
Nix
Executable File
{
|
|
config,
|
|
lib,
|
|
namespace,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.${namespace}.services.nebula;
|
|
sopsFile = cfg.secretsFile;
|
|
nebulaUser = "nebula-${cfg.networkName}";
|
|
nebulaUnit = "nebula@${cfg.networkName}.service";
|
|
|
|
mkSecret = _key: {
|
|
inherit sopsFile;
|
|
owner = nebulaUser;
|
|
group = nebulaUser;
|
|
restartUnits = [ nebulaUnit ];
|
|
};
|
|
|
|
# CA cert/key are group-readable so nebula-ui (a group member) can access them
|
|
mkCaSecret = _key: (mkSecret _key) // { mode = "0440"; };
|
|
in
|
|
{
|
|
config = mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = cfg.secretsPrefix != "";
|
|
message = "mjallen.services.nebula.secretsPrefix must be set (e.g. \"pi5/nebula\")";
|
|
}
|
|
{
|
|
assertion = cfg.secretsFile != "";
|
|
message = "mjallen.services.nebula.secretsFile must be set to the path of the SOPS secrets YAML";
|
|
}
|
|
];
|
|
|
|
sops.secrets = {
|
|
"${cfg.secretsPrefix}/ca-cert" = mkCaSecret "ca-cert";
|
|
"${cfg.secretsPrefix}/${cfg.hostSecretName}-cert" = mkSecret "host-cert";
|
|
"${cfg.secretsPrefix}/${cfg.hostSecretName}-key" = mkSecret "host-key";
|
|
};
|
|
};
|
|
}
|