From b3b731207b7a15293f57327f22be67930f4ec76e Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Thu, 6 Feb 2025 22:08:35 -0500 Subject: [PATCH] vocard: use sops templating --- flake.lock | 6 +- .../services/vocard/application.yml | 4 +- .../gerg-desktop/services/vocard/secrets.yaml | 16 +++-- .../services/vocard/settings.json | 10 ++-- .../gerg-desktop/services/vocard/vocard.nix | 60 +++++++++++++++++++ packages/lavalink/package.nix | 1 - 6 files changed, 81 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index df95d20..87306c7 100644 --- a/flake.lock +++ b/flake.lock @@ -663,11 +663,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1738460606, - "narHash": "sha256-ohK4UlI12qRAygjdsdTPGhkR2iQ3Ecfv58cRdgVfVQ4=", + "lastModified": 1738870758, + "narHash": "sha256-O9AnKGD2n1CTKJBpHw76uLDz/FfQHPPiFotA/nnkXmA=", "owner": "Gerg-L", "repo": "nvim-flake", - "rev": "c443a97bea7fad20e7ee8b535fa8d8f352e6d83f", + "rev": "a461451f69209eb904d233afa283132a1ffbb77b", "type": "github" }, "original": { diff --git a/nixosConfigurations/gerg-desktop/services/vocard/application.yml b/nixosConfigurations/gerg-desktop/services/vocard/application.yml index 572e29a..b025eea 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/application.yml +++ b/nixosConfigurations/gerg-desktop/services/vocard/application.yml @@ -18,7 +18,7 @@ plugins: - WEBEMBEDDED oauth: enabled: true - refreshToken: "" + refreshToken: "@refresh_token@" # name: # Name of the plugin # some_key: some_value # Some key-value pair for the plugin # another_key: another_value @@ -35,7 +35,7 @@ lavalink: # defaultPluginRepository: "https://maven.lavalink.dev/releases" # optional, defaults to the Lavalink release repository # defaultPluginSnapshotRepository: "https://maven.lavalink.dev/snapshots" # optional, defaults to the Lavalink snapshot repository server: - password: "youshallnotpass" + password: "@password@" sources: # The default Youtube source is now deprecated and won't receive further updates. Please use https://github.com/lavalink-devs/youtube-source#plugin instead. youtube: false diff --git a/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml b/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml index 81f3bc8..6ed4159 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml +++ b/nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml @@ -1,5 +1,11 @@ -vocard: ENC[AES256_GCM,data:5tMsCU3eI9oTcbJf53paVi82TlEOTgAEUF0hYgnee97x/DZsoiCg5xhsedlp7vwJgWv+em3qiOah47EopR9x4uL8O/WFYAVrx6b03tUTzzk31NZMQ1xxSzbdJ+5BsheB2UYhpt99sHweVTjHsyy1gICa3zfk7W+SfzNJqTk1Sz2u+o9MS2y7UH+lddK/IEF9QlPI3pUJPKCjd2fjZaz/LS4ih3Hq0whpdeLpJ7G4NK2l50hRwDU0vuQgmMJZvEH/Mx7E7n7nHar//9nueE2JxPaKPkAJ7MnZ6GQppLX3zwExe4BEW3H449dVPV94eFcTCYO9QBE=,iv:5ieW16/MCK3BJshihfoeFfPcH83RmaAvy/kF4921zjk=,tag:t5ouiAwmVLl0SbRUEl8CnA==,type:str] -lavalink: ENC[AES256_GCM,data:p6FMF2uXwHqg9bGiU1/8TRCToGyDR3t0Kz4J1mCHu2beSpLZWV0Cy9BcwsE2rFMKh5bxzffh8FrMDJJ8cnLpBqCNDDdyHpRub9zuREiJ0yPUEvG6GhAQpvhMOQYAkDe2fVmSIWdF+s+v514rj7mjEkHpdNov7pEL,iv:9OYomvSLszkTYuDReRUyHauPwaZrzlZC6VvJ1sI6rhw=,tag:X2RpZxwnxU6ofo+19Q/DYQ==,type:str] +vocard: + token: ENC[AES256_GCM,data:CCu4yOw4Fvwyx0KkYIikiz3VY2xTPbBx1q92W7FBTp+5fU+UP7yuAwZMWWZtzKdEyypzlk5uJ4tJRwUHqq62EnJqYj4wCVcr,iv:/Nxr9QPjEa67Xxn+tz3TRrcNG+cqEPVsqdjjxLp7R+k=,tag:LcVRrGorxvljJqpgs2bSoA==,type:str] + client_id: ENC[AES256_GCM,data:yd9vcUVxMpAKiPzl1hDI9EJhzA==,iv:dzB8ls0k5kWd+qtbSAkSfAXO0dxIUwdjppGYMkc+OHg=,tag:l1M4XTs79fszfNcFXSzVVg==,type:str] + spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str] + spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str] +lavalink: + refresh_token: ENC[AES256_GCM,data:t40tbR2FrGTQCmuGsQ0AXJyjKLBYpOs52aIVaYtZnYWYa2pEm+c8K2pDT33uWe2WA0YSV5z5Qe+YEeryudaLALGB/hnGpnRqPDiS4msiPQMD+5dFnrelYIXCFz8kTlCPdsaDW33F5w==,iv:pk+V85B+t3gYFm2zYWqACwRh0q4W86UvcaNnzhbzztU=,tag:gjC4ADv9hNhk85niT3P75g==,type:str] + password: ENC[AES256_GCM,data:boIoVKGcXWAaKx6rOH1w1awTGfc=,iv:mX8WaaeeQXqyVuM5oA5tUUG7h7C0rV9QAVoHW/InyPc=,tag:Q/P3T5o1CMlbxe+UWyOP3A==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +21,8 @@ sops: WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-06T17:07:08Z" - mac: ENC[AES256_GCM,data:jVVU4F6GK8mf8lvH5BNbbU9UHJu/od4Y+jTTSBkFcH9SBy9AWlwm6YjNmotSH3IMuxUWe3vyLLoga2pLgla2TJlScDpok9ZTcZTmSybacrTfT2r3Xyt++R+v+i5fnhlnN7MfnPYx33tofoxpIKdvM0VCaBi+dY1EXXNQOSRdOiA=,iv:bz8+UdBJXSLI+/C48pFoYIHGF6CMaJIonvRMNmJhy7I=,tag:0DCcq2t7wcvzrXqtnAeXeg==,type:str] + lastmodified: "2025-02-07T03:01:32Z" + mac: ENC[AES256_GCM,data:T7z3iKsPZ6AiAf+ogcUfbBCLpXWgb76KKkpfXjHIkvoovHIil8diyWSPogj0eD6a7i4mTjvaan7VoFsNS76KjVezGrEUlMcmck/JgSYkyxZmKtw0Yt/V4G8z7BodG7uWCo37eG7XZopi+Oy1+EWku6OzfXXi9vi27BtyDqAju6Y=,iv:b8mqxYPMUBhPyk+wkcNJXGX32GulRZMR+iSVOOePs9E=,tag:qTRumh4WEICrubw0gi91YA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.3 + version: 3.9.4 diff --git a/nixosConfigurations/gerg-desktop/services/vocard/settings.json b/nixosConfigurations/gerg-desktop/services/vocard/settings.json index 2c96c50..2715a29 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/settings.json +++ b/nixosConfigurations/gerg-desktop/services/vocard/settings.json @@ -1,8 +1,8 @@ { - "token": "", - "client_id": "", - "spotify_client_id": "", - "spotify_client_secret": "", + "token": "@token@", + "client_id": "@client_id@", + "spotify_client_id": "@spotify_client_id@", + "spotify_client_secret": "@spotify_client_secret@", "genius_token": "YOUR_GENIUS_TOKEN", "mongodb_url": "0.0.0.0", "mongodb_name": "vocard", @@ -10,7 +10,7 @@ "DEFAULT": { "host": "0.0.0.0", "port": 2333, - "password": "youshallnotpass", + "password": "@password@", "secure": false, "identifier": "DEFAULT" } diff --git a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix index 55e66e6..7ddcdf8 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix +++ b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix @@ -1,11 +1,71 @@ { self', lib, + config, }: { + sops = { + secrets = + builtins.mapAttrs + ( + _: v: + v + // { + sopsFile = ./secrets.yaml; + } + ) + { + "vocard/token" = { }; + "vocard/client_id" = { }; + "vocard/spotify_client_id" = { }; + "vocard/spotify_client_secret" = { }; + "lavalink/refresh_token" = { }; + "lavalink/password" = { }; + + }; + templates = { + vocard.content = + builtins.replaceStrings + [ + "@token@" + "@client_id@" + "@spotify_client_id@" + "@spotify_client_secret@" + "@password@" + ] + [ + config.sops.placeholder."vocard/token" + config.sops.placeholder."vocard/client_id" + config.sops.placeholder."vocard/spotify_client_id" + config.sops.placeholder."vocard/spotify_client_secret" + config.sops.placeholder."lavalink/password" + + ] + (builtins.readFile ./settings.json); + + lavalink.content = + builtins.replaceStrings + [ + "@refresh_token@" + + "@password@" + ] + [ + config.sops.placeholder."lavalink/refresh_token" + + config.sops.placeholder."lavalink/password" + + ] + (builtins.readFile ./application.yml); + }; + }; + systemd.tmpfiles.rules = [ "d /persist/services/vocard - - - - -" "d /persist/services/lavalink - - - - -" + + "L+ /persist/services/vocard/settings.json - - - - ${config.sops.templates.vocard.path}" + "L+ /persist/services/lavalink/application.yml - - - - ${config.sops.templates.lavalink.path}" ]; systemd.services = { diff --git a/packages/lavalink/package.nix b/packages/lavalink/package.nix index 1df4ea7..0f798e6 100644 --- a/packages/lavalink/package.nix +++ b/packages/lavalink/package.nix @@ -18,7 +18,6 @@ stdenvNoCC.mkDerivation (finalAttrs: { hash = "sha256-OznpsYoiWa6y+/8kukWN66leLi2mZU/1x+zN+uyIk1k="; }; - dontUnpack = true; nativeBuildInputs = [ makeBinaryWrapper ];