X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem%2Fquatresaisons.nix;h=491e215eb180e18d7925dc84245e090203ca338e;hb=da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2;hp=353323f1696d76ab06da0b92bb11528e5ed46c2e;hpb=cd30f69995a05e1e2e0f70af75c9a0d49a817d60;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 353323f..491e215 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -1,4 +1,3 @@
-{ privateFiles }:
 { config, pkgs, lib, ... }:
 let
   serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
@@ -54,7 +53,7 @@ let
       chmod go-rwx /var/lib/nixos/sponsored_users
       echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
       (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
-        -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+        -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
     dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
     objectClass: inetOrgPerson
     cn: $1
@@ -75,7 +74,7 @@ let
         userdel -r "$1"
         sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
         ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
         echo "deleted"
         exit 0
@@ -104,7 +103,7 @@ let
       if [ "$1" = "$mygroup" ]; then
         log "resets web password"
         ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           -S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
       else
         IFS=",";
@@ -112,7 +111,7 @@ let
         if [ "$u" = "$1" ]; then
           log "resets web password of $1"
           ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-            -y /var/secrets/ldap/sync_password \
+            -y ${config.secrets.fullPaths."ldap/sync_password"} \
             -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
           exit 0
         fi
@@ -164,6 +163,8 @@ in
     targetHost = config.hostEnv.ips.main.ip4;
     substituteOnDestination = true;
   };
+  # ssh-keyscan quatresaison | nix-shell -p ssh-to-age --run ssh-to-age
+  secrets.ageKeys = [ "age1yz8u6xvh2fltvyp96ep8crce3qx4tuceyhun6pwddfe0uvcrkarscxl7e7" ];
 
   programs.ssh.package = pkgs.openssh.overrideAttrs(old: {
     PATH_PASSWD_PROG = "/run/wrappers/bin/passwd";
@@ -173,7 +174,7 @@ in
   imports = builtins.attrValues (import ../..) ++
     [ ./quatresaisons/nextcloud.nix ./quatresaisons/databases.nix ];
 
-  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+  myEnv = import ../../../nixops/secrets/environment.nix;
 
   fileSystems = {
     "/"     = { device = "/dev/disk/by-uuid/865931b4-c5cc-439f-8e42-8072c7a30634"; fsType = "ext4"; };
@@ -220,10 +221,10 @@ in
     deps = [ "secrets" "users" ];
     text =
       let
-        com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+        com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
       in ''
       # Add users
-      ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+      ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
 
       # Remove obsolete users
       ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
@@ -274,6 +275,7 @@ in
     }
   ];
 
+  myServices.monitoring.enable = true;
   myServices.certificates.enable = true;
   users.mutableUsers = true;
   system.stateVersion = "21.03";
@@ -333,6 +335,7 @@ in
     {
       commands = [
         { command = "${sponsoredUser}/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
       ];
       users = builtins.attrNames normalUsers;
       runAs = "root";