tadpole/test-vm: Update WHIB service

- Update `WHIB` input - Update secrets to reflect changes in input
2025-01-12 12:07:41 +01:00
parent 01cff093fd
commit c478f795f1
15 changed files with 80 additions and 91 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -267,11 +267,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1735900130,
+        "lastModified": 1738420006,
-        "narHash": "sha256-bj1b9f8hmyzQH74Lg6rBhe6DXbThifGhKQKIns3GT8w=",
+        "narHash": "sha256-hz/8diWmWxyq5ywodBPTAs60MzH2t8IldooYnU5weZE=",
        "ref": "master",
-        "rev": "c9b16ef5558e48703bcb85be413f0c39a896e85b",
+        "rev": "f73bdd33f47da1e6db9d5ff93039450ef972857c",
-        "revCount": 365,
+        "revCount": 367,
        "type": "git",
        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
      },
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -1,5 +1,4 @@
 {
  pkgs,
  lib,
  config,
  ...
@@ -26,26 +25,20 @@ in
      enable = true;
      backend = {
        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
        domain = "api.whib.ppp.pm";
        useACMEHost = "api.whib.ppp.pm";
        environmentFile = config.age.secrets.whib-backend-env-vars.path;
      };
      postgres = {
-        database = "whib";
+        environmentFile = config.age.secrets.whib-postgres-env-vars.path;
        host = "postgres";
        port = "5432";
        user = "whib";
        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
        backup = {
          interval = "*-*-* 00:00:00 UTC";
          environmentFile = config.age.secrets.whib-postgres-backup-env-vars.path;
          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
        };
      };
@@ -53,19 +46,19 @@ in
        domain = "grafana.whib.ppp.pm";
        useACMEHost = "grafana.whib.ppp.pm";
-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
+        environmentFile = config.age.secrets.whib-grafana-env-vars.path;
      };
    };
    age.secrets = {
-      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
+      "whib-backend-env-vars".file = ../../../../secrets/tadpole/whib-backend-env-vars.age;
-      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
+      "whib-postgres-env-vars".file = ../../../../secrets/tadpole/whib-postgres-env-vars.age;
      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
      "whib-postgres-backup-env-vars".file =
        ../../../../secrets/tadpole/whib-postgres-backup-env-vars.age;
      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
-      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
+
-      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
+      "whib-grafana-env-vars".file = ../../../../secrets/tadpole/whib-grafana-env-vars.age;
      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
    };
  };
 }
--- a/hosts/test-vm/whib-backend.nix
+++ b/hosts/test-vm/whib-backend.nix
@@ -1,4 +1,5 @@
 {
  pkgs,
  lib,
  config,
  ...
@@ -14,34 +15,68 @@ in
  };
  config = lib.mkIf enabled {
-    services.whib-backend = {
+    services.whib-backend =
-      enable = true;
+      let
        backendEnvVars = pkgs.writeText "backend-env-vars" ''
          SIGNING_KEY=signingkey
          POSTGRES_DB=whib
          POSTGRES_USER=whib
          POSTGRES_PASSWORD=pgpassword
        '';
-      backend = {
+        postgresEnvVars = pkgs.writeText "postgres-env-vars" ''
-        signingKey = "super-secret-key";
+          POSTGRES_DB=whib
-        domain = "whib-backend.local";
+          POSTGRES_USER=whib
-      };
+          POSTGRES_PASSWORD=pgpassword
        '';
-      postgres = {
+        postgresBackupEnvVars = pkgs.writeText "postgres-backup-env-vars" ''
-        password = "postgrespassword";
+          PGDATABASE=whib
          PGUSER=whib
          PGPASSWORD=pgpassword
          B2_BUCKET=a
          B2_APPLICATION_KEY_ID=b
          B2_APPLICATION_KEY=c
        '';
-        backup = {
+        gpgPassphraseFile = pkgs.writeText "gpg-passphrase" ''
-          interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
+          foobar
        '';
-          # Set these for test runs
+        grafanaEnvVars = pkgs.writeText "grafana-env-vars" ''
-          gpgPassphraseFile = "";
+          GF_SECURITY_ADMIN_PASSWORD=grafanapassword
          GF_USERS_ALLOW_SIGN_UP=false
        '';
-          backblazeBucket = "";
+      in
-          backblazeKeyID = "";
+      {
-          backblazeKey = "";
+        enable = true;
        backend = {
          domain = "whib-backend.local";
          environmentFile = backendEnvVars;
        };
        postgres = {
          environmentFile = postgresEnvVars;
          backup = {
            interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
            environmentFile = postgresBackupEnvVars;
            gpgPassphraseFile = gpgPassphraseFile;
          };
        };
        grafana = {
          domain = "grafana.local";
          environmentFile = grafanaEnvVars;
        };
      };
      grafana = {
        password = "granfanapassword";
      };
    };
    virtualisation.vmVariant = {
      virtualisation = {
        sharedDirectories = {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -48,11 +48,9 @@ in {
  "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
  "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-backend-env-vars.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-env-vars.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-backup-env-vars.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-grafana-env-vars.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
  "tadpole/whib-backblaze-key.age".publicKeys = [ tadpole alex ];
 }
--- a/secrets/tadpole/whib-backblaze-bucket.age
+++ b/secrets/tadpole/whib-backblaze-bucket.age
@@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A V2ngjouYa4wi42HngK3TQfGRNqZ+gW4iQ01HxdnfNxo
 vvK7WyZkdH/vmeBrC8cs3neLpaZ8RryvYg61sBzf12A
 -> ssh-ed25519 +oNaHQ 1pK15FPOkaejA0GfotISM2ATOcE8tsUgZOpL0PONC08
 dDjq/2ZH/FHgLCQHgRaYba/3JtOvHl4k9GgzxyQw+L4
 --- yyW+//7KvwvcTHs76bPxtG9TUrFgJzp7KtqaqjP/0GY
 <EFBFBD><EFBFBD>~<7E><>}"[<5B>~nIm<49><6D><EFBFBD>2<EFBFBD><32>t<EFBFBD><74><EFBFBD>T<EFBFBD><54>xw<78>T<EFBFBD><54><EFBFBD>5,5^<5E><>w<EFBFBD><77>6l<36><6C>T<EFBFBD><54>(<28>
--- a/secrets/tadpole/whib-backblaze-key-id.age
+++ b/secrets/tadpole/whib-backblaze-key-id.age
@@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A YRCagpPHZ/4X9VyWgxWbugjSdYTzSUD2ncgWunzYVFs
 7SKYPayWt4XGG5YVB3yKt+dpGKOBtJW3E/LZq3eJmGI
 -> ssh-ed25519 +oNaHQ EHjg/EH4AbcqEHp27hhJqOLwa9P7sz2iavqIvkBkFQA
 T/2Po7X5FFb575QSxvvE1LqwZpFoDX/gnKLopBw/NMU
 --- 2cWhyrmkeeeiYNTyhJri/UHVhLqU0fJ3Py34rzhmr7c
 clN<>2<EFBFBD>ʍ<EFBFBD><CA8D>y~<7E>,lsX<73><58><EFBFBD><EFBFBD>s.<2E><>4<EFBFBD>*!<21><><EFBFBD>j<EFBFBD>c
 ]u<>Ʒ<EFBFBD>z<EFBFBD>g<EFBFBD><67><06><>;F
--- a/secrets/tadpole/whib-backblaze-key.age
+++ b/secrets/tadpole/whib-backblaze-key.age
@@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A /exiuF2v+lsAUID7eT53DooUgVnQHsE0lJOPgdbLuzU
 KPZKG2vYo7hczQ9iRTubb8mBUM9F3E19+1T6GExhsJM
 -> ssh-ed25519 +oNaHQ 6/BOd1ahNHbKPH6V4DwiSWQ2MFPztTAqBHTc8V1HJFw
 IF8V4HtNQqYzK58WdxYg1e2bfh9T7keV67VR/VzCUz0
 --- WuqN3ez4lofmNyDaaKKXA23lFtnd+2VwuG7wT28u0xU
 СQ<EFBFBD><EFBFBD>Vd<EFBFBD><EFBFBD><08><>>\<5C><11><15>
--- a/secrets/tadpole/whib-backend-env-vars.age
+++ b/secrets/tadpole/whib-backend-env-vars.age
--- a/secrets/tadpole/whib-gpg-key.age
+++ b/secrets/tadpole/whib-gpg-key.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 5R7G9A ORTl5WSeg4vSKUAwzCp9ABRL02SvjFZrBHuWLMbSmxI
+-> ssh-ed25519 5R7G9A Q6V8S5312DQhP0QtPbAlbn+uDER6jpi+gvn40ndmnn0
-obXt5wHXbfkdOAXwPySZeFelSFwJnCoH1EExtXNmBio
+soymoaAKbNlYicSbtHhqn54D0zVBHBuHUKngex/VgoM
-> ssh-ed25519 +oNaHQ vxTHufUlEwbuztnIsCcprfXonpNUlv1ZcHQpEQjGtz8
+-> ssh-ed25519 +oNaHQ cpzCyu/9Jrm9Rx5C/rhuZku6uJWjrlHpCYxWOwuwQWw
-uFym0SgmM6LZRqJrSPMLHI6DLZ5t/WLvKP0dMvM8bUc
+1GA8NsLeOTo/zHs/k0vt/N8hH+2MXfMNRy+qKBqi3fM
--- 7UQLcCs/G20iP2YlwjCEmpFcXgqJfQacqSVGBBPmAbY
+--- 5O74sFn1xDZ53xHM7KHZ+ge7DzdnhyeB0W0znMk7NYQ
-y<>ӆ<EFBFBD><D386>'<27>_K<07><>f<EFBFBD>3<EFBFBD>;<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>_<EFBFBD>tu[<5B>\<10><><EFBFBD><1F>)uK<75><4B>,ƫ<>zq񐏭<71>|<7C>1!X<>YY<59>g<EFBFBD>7<><37>Eڛ<>^<5E><>
+u<EFBFBD><1E><><EFBFBD>w<EFBFBD>D<EFBFBD>ms"<22><>4<EFBFBD><34><EFBFBD><EFBFBD>w<EFBFBD><77>G<7F>L<>ur	7V`G=	<09><><EFBFBD><EFBFBD>C<EFBFBD><43>n2<6E><32>n<0C><0C>3S~go<67><18><><EFBFBD><EFBFBD>cs<63>@7Ƴ
--- a/secrets/tadpole/whib-grafana-env-vars.age
+++ b/secrets/tadpole/whib-grafana-env-vars.age
--- a/secrets/tadpole/whib-grafana-password.age
+++ b/secrets/tadpole/whib-grafana-password.age
--- a/secrets/tadpole/whib-postgres-backup-env-vars.age
+++ b/secrets/tadpole/whib-postgres-backup-env-vars.age
--- a/secrets/tadpole/whib-postgres-env-vars.age
+++ b/secrets/tadpole/whib-postgres-env-vars.age
--- a/secrets/tadpole/whib-postgres-password.age
+++ b/secrets/tadpole/whib-postgres-password.age
@@ -1,7 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
 SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
 -> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
 6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
 --- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
 <EFBFBD>ϛ<EFBFBD><uI<75>X"<22><0C>^C<12>j};<3B><><EFBFBD><EFBFBD>Kd<4B><64><06><>ٗX<D997><58>b<EFBFBD><0C><><EFBFBD>W<>,{7u+x<>L]<5D>
--- a/secrets/tadpole/whib-signing-key.age
+++ b/secrets/tadpole/whib-signing-key.age
@@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
 4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
 -> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
 Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
 --- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
 <1F><><EFBFBD>j^t<><74><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>B%<25><>a<><61><EFBFBD><EFBFBD>$<24><>8m}-LbM<62>n<EFBFBD><6E><18><1C>R<02><>cZ<63><5A><EFBFBD>=<3D><0C>$x<18><>}<7D><>)PH<50>{X<>3<EFBFBD>ᏻ<EFBFBD><E18FBB><EFBFBD>V<EFBFBD><15><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><12><><EFBFBD>Օ<EFBFBD>6Rs<52><73><EFBFBD><12><>r<EFBFBD><72>b<EFBFBD>nl<6E>]<5D><>/Ȏe@/<2F>*<2A><><EFBFBD>:<3A>ڸ<EFBFBD><DAB8>V~<7E><>V<EFBFBD>a]`<60><19>
 <EFBFBD><EFBFBD><EFBFBD>=ٿv<D9BF>z\<5C>