X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem%2Fquatresaisons.nix;h=82db70ff0d1c7a97e50e7b98b779625b98aad8d8;hb=4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0;hp=353323f1696d76ab06da0b92bb11528e5ed46c2e;hpb=cd30f69995a05e1e2e0f70af75c9a0d49a817d60;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 353323f..82db70f 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -1,4 +1,3 @@
-{ privateFiles }:
 { config, pkgs, lib, ... }:
 let
   serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
@@ -54,7 +53,7 @@ let
       chmod go-rwx /var/lib/nixos/sponsored_users
       echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
       (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
-        -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+        -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
     dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
     objectClass: inetOrgPerson
     cn: $1
@@ -75,7 +74,7 @@ let
         userdel -r "$1"
         sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
         ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
         echo "deleted"
         exit 0
@@ -104,7 +103,7 @@ let
       if [ "$1" = "$mygroup" ]; then
         log "resets web password"
         ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           -S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
       else
         IFS=",";
@@ -112,7 +111,7 @@ let
         if [ "$u" = "$1" ]; then
           log "resets web password of $1"
           ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-            -y /var/secrets/ldap/sync_password \
+            -y ${config.secrets.fullPaths."ldap/sync_password"} \
             -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
           exit 0
         fi
@@ -164,6 +163,8 @@ in
     targetHost = config.hostEnv.ips.main.ip4;
     substituteOnDestination = true;
   };
+  # ssh-keyscan quatresaison | nix-shell -p ssh-to-age --run ssh-to-age
+  secrets.ageKeys = [ "age1yz8u6xvh2fltvyp96ep8crce3qx4tuceyhun6pwddfe0uvcrkarscxl7e7" ];
 
   programs.ssh.package = pkgs.openssh.overrideAttrs(old: {
     PATH_PASSWD_PROG = "/run/wrappers/bin/passwd";
@@ -173,7 +174,7 @@ in
   imports = builtins.attrValues (import ../..) ++
     [ ./quatresaisons/nextcloud.nix ./quatresaisons/databases.nix ];
 
-  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+  myEnv = import ../../../nixops/secrets/environment.nix;
 
   fileSystems = {
     "/"     = { device = "/dev/disk/by-uuid/865931b4-c5cc-439f-8e42-8072c7a30634"; fsType = "ext4"; };
@@ -220,10 +221,10 @@ in
     deps = [ "secrets" "users" ];
     text =
       let
-        com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+        com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
       in ''
       # Add users
-      ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+      ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
 
       # Remove obsolete users
       ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
@@ -253,14 +254,12 @@ in
     '';
   };
 
-  secrets.keys = [
-    {
-      dest = "ldap/sync_password";
+  secrets.keys = {
+    "ldap/sync_password" = {
       permissions = "0400";
       text = serverSpecificConfig.ldap_sync_password;
-    }
-    {
-      dest = "ldap/ldaptree.ldif";
+    };
+    "ldap/ldaptree.ldif" = {
       permissions = "0400";
       text = serverSpecificConfig.ldap_service_users
         + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
@@ -271,9 +270,10 @@ in
         sn: ${n}
         uid: ${n}
       '') normalUsers));
-    }
-  ];
+    };
+  };
 
+  myServices.monitoring.enable = true;
   myServices.certificates.enable = true;
   users.mutableUsers = true;
   system.stateVersion = "21.03";
@@ -333,6 +333,7 @@ in
     {
       commands = [
         { command = "${sponsoredUser}/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
       ];
       users = builtins.attrNames normalUsers;
       runAs = "root";