ctucx.git: nixfiles

ctucx' nixfiles

commit 8a4d110869262180fa8a81f7e087c0d09ebd7e45
parent 880741439c03d0025402791f944081e62720c8a9
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 19 May 2023 19:51:34 +0200

machines/briefkasten/solar-nrw/solax2mqtt: only store password in secrets and substitute it in the config on the fly

4 files changed, 37 insertions(+), 23 deletions(-)
M
machines/briefkasten/solar-nrw/solax2mqtt.nix
|
31
++++++++++++++++++++++++-------
D
secrets/briefkasten/solar-nrw/solax2mqtt.age
|
15
---------------
A
secrets/briefkasten/solar-nrw/solax2mqtt.env.age
|
12
++++++++++++
M
secrets/secrets.nix
|
2
+-
diff --git a/machines/briefkasten/solar-nrw/solax2mqtt.nix b/machines/briefkasten/solar-nrw/solax2mqtt.nix
@@ -1,13 +1,25 @@
 { inputs, config, pkgs, ... }:
 
-{
+let
+  solax2mqttConfig = {
+    ip             = "192.168.178.75";
+    password       = "\${PASSWORD}";
+    mqtt.host      = "::1";
+    mqtt.port      = 1883;
+    mqtt.topic     = "solax2mqtt";
+    updateInterval = 10;
+  };
+
+  configFile = pkgs.writeText "solax2mqtt-config.json" (builtins.toJSON solax2mqttConfig);
+
+in {
 
   imports = [
     ./vpn.nix
   ];
 
   age.secrets = {
-    solax2mqtt-config.file = ./. + "/../../../secrets/${config.networking.hostName}/solar-nrw/solax2mqtt.age";
+    solax2mqtt-env.file = ./. + "/../../../secrets/${config.networking.hostName}/solar-nrw/solax2mqtt.env.age";
   };
 
   systemd.services.solax2mqtt = {

@@ -16,18 +28,23 @@
     after     = [ "network-online.target" "strongswan.service" "mosquitto.service" ];
     onFailure = [ "email-notify@%i.service" ];
 
-    environment.CONFIG_PATH = "%d/config.json";
+    environment.CONFIG_PATH = "/var/run/solax2mqtt/config.json";
 
     serviceConfig = {
+      EnvironmentFile = config.age.secrets.solax2mqtt-env.path;
       ExecStart    = "${pkgs.solax2mqtt}/bin/solax2mqtt";
+      ExecStartPre = (pkgs.writeShellScript "solax2mqtt-pre-start" ''
+        umask 077
+        ${pkgs.envsubst}/bin/envsubst -i "${configFile}" > /var/run/solax2mqtt/config.json
+      '');
+
+      RuntimeDirectory = "solax2mqtt";
 
       RuntimeMaxSec = "1d";
       Restart       = "always";
       RestartSec    = "5";
 
-      LoadCredential = "config.json:${config.age.secrets.solax2mqtt-config.path}";
-
-      DynamicUser = true;
+      DynamicUser             = true;
 
       NoNewPrivileges         = true;
       PrivateTmp              = true;

@@ -48,7 +65,7 @@
       DevicePolicy            = "closed";
       LockPersonality         = true;
 
-      LimitNPROC              = 1;
+      LimitNPROC              = 10;
     };
   };
 

diff --git a/secrets/briefkasten/solar-nrw/solax2mqtt.age b/secrets/briefkasten/solar-nrw/solax2mqtt.age
@@ -1,15 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVL3l4RERTVWJ0OHdVODNt
-TWExSkNFVmFyQkZjeElWRDJYTTl5U0NHV0hrCm93MGhNcnFxUms4K0VnUzFSNlVU
-TTVhdFJpVUh3b3lWNzhQbVZqQTdodUEKLT4gc3NoLWVkMjU1MTkgNGhLQ013IDl0
-K21ZNUJoZndxQ3Bvc1hRTGVYRXBoZWg4ZGlGOXByczUxaGxOdjVvVFUKeS9pK2lY
-OXJjQUp3OFhhQ2ZEREtoTTdzUVd5d1NjTW1wblF0Z0k4VFdXNAotPiAsLWdyZWFz
-ZSBBdDAgKD04fGxeV0Qgaz0oWG8gQFQ1M01ACldESFB2dkJWK01YNDd4dExjVm1E
-UHhYOWRBZWJnSjJLenBrT3pWeER2b3BCZ3luZW5GV2VXeTZFZnRxeks1NWMKMFNh
-REFWdE9ZS1FoOTlKMHY2anFiT2h5bDE3SVFuc2VVcERxZ3BXU1Y1WVluaDFZWTFV
-Ci0tLSBaakk4eHJIUlFmeVZkOEwxN0dzeW4xY3NDdXFrZkNSS0svWEFNN2l5dmRF
-Crz/FtUzYCXIHG4L8eaip1TZd6fkAqixh6WMjIr/S2mKOsodKvU8KpSDc/a7MQV8
-FHatBC+nOzJduOzzfLpFFAuMI7jitpHTdAfaUyYnaM9oNej6lGpx37tMJty8iUmr
-fOEiHDubwstAv6Ysojz6ijadjLFcha3/s3fwdo+PUsiDrVWVTxjGC8h+LcwXR5yZ
-Yl1aCcaCD+zWxhvv4IfJ+3mWROvWMuX+oWH0PyDO2LyoQi0IqdWW
------END AGE ENCRYPTED FILE-----

diff --git a/secrets/briefkasten/solar-nrw/solax2mqtt.env.age b/secrets/briefkasten/solar-nrw/solax2mqtt.env.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bnZCV1RMWktnejdIUk11
+R2JwckJ2eUliSEgxRXptZHdzb3dUSDZnYURRClBjRjJFSGZBdVplUTNWc2l0dkdh
+Yy9BdjErMkltSGFhbW1CUXJsRXpoL1EKLT4gc3NoLWVkMjU1MTkgNGhLQ013IGNI
+ZmtEdnB6c2IxNUhGWlBPUW1QTmhLOEl6WmNFL3NaakxZN25nN2FUUU0KcENjMWlk
+TWxqSllJMzcxNDF1QkI3aHp5cEoxYnZjUUx0NG0vVDBuMnBLOAotPiA1US1ncmVh
+c2UgZC1hKm9YCnpTZVVMN25RTkZjeXlrVkZPY1gwcFJaUmVxeEFMMG43MzYyejB0
+SXFGaDdVb1NMUlNqVzJJVmxITnBmZ3ZBQzMKcWhxTkxkVFFibHRSNzdydUJscVdk
+eHgrTEJhV2Rrd1hYb2JUL3YrdlFzNGcwUQotLS0gTTlQQzhsckZMWk9QeDRLV3Nj
+ZVFLd3JsdDVyZXlXOG5nN3pLeW51U2htbwqAoMEc1FSl9l3ChwduPNAMOyllwJak
+j79CJ+mEYoF/02wcccg/Z+cCCzsK6MPJEVXQFfVq1Z4=
+-----END AGE ENCRYPTED FILE-----

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -41,7 +41,7 @@ in {
   "briefkasten/telegraf/secrets.env.age".publicKeys                 = [ leah briefkasten ];
 
   "briefkasten/solar-nrw/vpn-secrets.age".publicKeys                = [ leah briefkasten ];
-  "briefkasten/solar-nrw/solax2mqtt.age".publicKeys                 = [ leah briefkasten ];
+  "briefkasten/solar-nrw/solax2mqtt.env.age".publicKeys             = [ leah briefkasten ];
 
   "briefkasten/wireguard-privkey.age".publicKeys                    = [ leah briefkasten ];