X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fgitolite%2Fdefault.nix;fp=modules%2Fprivate%2Fgitolite%2Fdefault.nix;h=e8ccc7d67777ffc15e6cb654c478e7568275ba6c;hb=ce7d09efb55888501b73f9e763811deac762aed2;hp=1549c94530c6b10ad4f2528632f64e1eb11eb471;hpb=46c99b575ab45c79e195bc9e9ed75759e814aad1;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index 1549c94..e8ccc7d 100644
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -20,6 +20,14 @@ in {
     };
     networking.firewall.allowedTCPPorts = [ 9418 ];
 
+    secrets.keys = [{
+      dest = "gitolite/ldap_password";
+      user = "gitolite";
+      group = "gitolite";
+      permissions = "0400";
+      text = config.myEnv.tools.gitolite.ldap.password;
+    }];
+
     services.gitDaemon = {
       enable = true;
       user = "gitolite";
@@ -34,7 +42,7 @@ in {
       } ''
         makeWrapper "${./gitolite_ldap_groups.sh}" "$out" \
           --prefix PATH : ${lib.makeBinPath deps} \
-          --set LDAP_PASS ${pkgs.lib.escapeShellArg config.myEnv.tools.gitolite.ldap.password}
+          --set LDAP_PASS_PATH ${config.secrets.fullPaths."gitolite/ldap_password"}
         '';
     in {
       deps = [ "users" ];
@@ -50,6 +58,7 @@ in {
     };
 
     users.users.wwwrun.extraGroups = [ "gitolite" ];
+    users.users.gitolite.extraGroups = [ "keys" ];
 
     users.users.gitolite.packages = let
       python-packages = python-packages: with python-packages; [