Use attrs for secrets instead of lists

author Ismaël Bouya <ismael.bouya@normalesup.org>

Sat, 16 Oct 2021 15:40:07 +0000 (17:40 +0200)

committer Ismaël Bouya <ismael.bouya@normalesup.org>

Sat, 16 Oct 2021 18:20:45 +0000 (20:20 +0200)
author Ismaël Bouya <ismael.bouya@normalesup.org>
Sat, 16 Oct 2021 15:40:07 +0000 (17:40 +0200)
committer Ismaël Bouya <ismael.bouya@normalesup.org>
Sat, 16 Oct 2021 18:20:45 +0000 (20:20 +0200)
diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock

index 744d00240f38d4679cd29f3df93ef56a26794e49..be75993707e9594f764b2873b32c01e8fcf1271f 100644 (file)
--- a/flakes/private/openarc/flake.lock
+++ b/flakes/private/openarc/flake.lock
@@ -146,7 +146,7 @@
      },
      "secrets": {
        "locked": {
-        "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=",
+        "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=",
          "path": "../../secrets",
          "type": "path"
        },
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock

index bd5019c0e0e5649d6b52c1d7a1759cfddfdc6aac..f40e1a9632a200895fe910455e1721aa3bad200e 100644 (file)
--- a/flakes/private/opendmarc/flake.lock
+++ b/flakes/private/opendmarc/flake.lock
@@ -129,7 +129,7 @@
      },
      "secrets": {
        "locked": {
-        "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=",
+        "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=",
          "path": "../../secrets",
          "type": "path"
        },
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix

index 2b73070f5df0cde63ca46aa2eaf9ddcb2acff151..e2575e7f56d7089b5798fc6e530415637d4b95c4 100644 (file)
--- a/flakes/private/opendmarc/flake.nix
+++ b/flakes/private/opendmarc/flake.nix
@@ -53,9 +53,8 @@
                config.secrets.fullPaths."opendmarc/ignore.hosts"
              ];
            };
-          secrets.keys = [
-            {
-              dest = "opendmarc/ignore.hosts";
+          secrets.keys = {
+            "opendmarc/ignore.hosts" = {
                user = config.services.opendmarc.user;
                group = config.services.opendmarc.group;
                permissions = "0400";
@@ -67,8 +66,8 @@
                    builtins.concatStringsSep "\n" ([
                      config.myEnv.mail.dmarc.ignore_hosts
                    ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
-            }
-          ];
+            };
+          };
          };
        };
      in
diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix

index 0ee6a40929f4f27e28ab327c93b7700e5dd2c7e2..ef74a30244f49ee28465ad0663312cbfedd6ca08 100644 (file)
--- a/flakes/secrets/flake.nix
+++ b/flakes/secrets/flake.nix
@@ -5,9 +5,42 @@
      nixosModule = { config, lib, pkgs, ... }: {
        options.secrets = with lib; {
          keys = mkOption {
-          type = types.listOf types.unspecified;
-          default = [];
-          description = "Keys to upload to server";
+          type = types.attrsOf (types.submodule {
+            options = {
+              isTemplated = mkOption {
+                type = types.bool;
+                default = true;
+                description = "If the file is a gucci template that needs to be resolved";
+              };
+              isDir = mkOption {
+                type = types.bool;
+                default = false;
+                description = "If the entry is a directory";
+              };
+              group = mkOption {
+                type = types.str;
+                default = "root";
+                description = "Group to associate to the entry";
+              };
+              user = mkOption {
+                type = types.str;
+                default = "root";
+                description = "User to associate to the entry";
+              };
+              permissions = mkOption {
+                type = types.str;
+                default = "0600";
+                description = "Permissions to associate to the entry";
+              };
+              text = mkOption {
+                type = types.str;
+                description = "Content of the entry";
+              };
+            };
+          });
+          default = {};
+          description = "Keys attrs to upload to the server";
+          apply = lib.mapAttrsToList (dest: v: v // { inherit dest; });
          };
          gpgKeys = mkOption {
            type = types.listOf types.path;
@@ -52,20 +85,20 @@
          location = config.secrets.location;
          keys = config.secrets.keys;
          empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
-        fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
+        fpath = v: "secrets/${v.dest}${lib.optionalString v.isTemplated ".gucci.tpl"}";
          dumpKey = v:
-          if v.isDir or false then
+          if v.isDir then
              ''
                mkdir -p secrets/${v.dest}
                cat >> mods <<EOF
-              ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+              ${v.user} ${v.group} ${v.permissions} secrets/${v.dest}
                EOF
              ''
            else ''
              mkdir -p secrets/$(dirname ${v.dest})
              echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
              cat >> mods <<EOF
-            ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
+            ${v.user} ${v.group} ${v.permissions} ${fpath v}
              EOF
              '';
          secrets = pkgs.runCommand "secrets.tar.enc" {
@@ -88,7 +121,7 @@
            '';
          pathChmodExcl =
            let
-            dirs = builtins.filter (v: v.isDir or false) keys;
+            dirs = builtins.filter (v: v.isDir) keys;
              exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs);
            in
              lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) ";
diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix

index 7034a91fe0dc4b3d96e49eae5c987e1c91e1fe7f..846b1d472a6c0fc8ca9c7c31034c0f77e2c28875 100644 (file)
--- a/modules/duply_backup/default.nix
+++ b/modules/duply_backup/default.nix
@@ -75,24 +75,21 @@ in
      system.activationScripts.backup = ''
        install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
        '';
-    secrets.keys = lib.flatten (lib.mapAttrsToList (k: v:
+    secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (k: v:
        map (remote: [
-        {
+        (lib.nameValuePair "backup/${varName k remote}/conf" {
            permissions = "0400";
-          dest = "backup/${varName k remote}/conf";
            text = duplyProfile v remote "${k}/";
-        }
-        {
+        })
+        (lib.nameValuePair "backup/${varName k remote}/exclude" {
            permissions = "0400";
-          dest = "backup/${varName k remote}/exclude";
            text = v.excludeFile;
-        }
-        {
+        })
+        (lib.nameValuePair "backup/${varName k remote}" {
            permissions = "0500";
-          dest = "backup/${varName k remote}";
            isDir = true;
-        }
-    ]) v.remotes) config.services.duplyBackup.profiles);
+        })
+    ]) v.remotes) config.services.duplyBackup.profiles));
  
      services.cron = {
        enable = true;
diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix

index 976de6937bc1adca87a9165458db9d4594f926e8..60a75b3f30de048ab4bd696135a79eaa82a8c568 100644 (file)
--- a/modules/naemon/default.nix
+++ b/modules/naemon/default.nix
@@ -124,9 +124,8 @@ in
  
  
    config = mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "naemon/resources.cfg";
+    secrets.keys = {
+      "naemon/resources.cfg" = {
          user = cfg.user;
          group = cfg.group;
          permissions = "0400";
@@ -134,8 +133,8 @@ in
            $USER1$=${pkgs.monitoring-plugins}/libexec
            ${cfg.extraResource}
            '';
-      }
-    ];
+      };
+    };
  
      users.users = optionalAttrs (cfg.user == "naemon") {
        naemon = {
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix

index 903f453094c3041695b4c68fa5f826ffb207f61b..dc8a0d241bac99a294ba2e53df084cd991c7de5c 100644 (file)
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -76,33 +76,30 @@ in
          '';
      }) config.myEnv.buildbot.projects;
  
-    secrets.keys = (
+    secrets.keys = lib.listToAttrs (
        lib.lists.flatten (
          lib.attrsets.mapAttrsToList (k: project:
            lib.attrsets.mapAttrsToList (k: v:
-            {
+            (lib.nameValuePair "buildbot/${project.name}/${k}" {
                permissions = "0600";
                user = "buildbot";
                group = "buildbot";
                text = v;
-              dest = "buildbot/${project.name}/${k}";
-            }
+            })
            ) project.secrets
            ++ [
-            {
+            (lib.nameValuePair "buildbot/${project.name}/webhook-httpd-include" {
                permissions = "0600";
                user = "wwwrun";
                group = "wwwrun";
                text = lib.optionalString (project.webhookTokens != null) ''
                  Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
                  '';
-              dest = "buildbot/${project.name}/webhook-httpd-include";
-            }
-            {
+            })
+            (lib.nameValuePair "buildbot/${project.name}/environment_file" {
                permissions = "0600";
                user = "buildbot";
                group = "buildbot";
-              dest = "buildbot/${project.name}/environment_file";
                text = let
                  project_env = with lib.attrsets;
                    mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment //
@@ -115,33 +112,30 @@ in
                    };
                  in builtins.concatStringsSep "\n"
                    (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env);
-            }
+            })
            ]
          ) config.myEnv.buildbot.projects
        )
-    ) ++ [
-      {
+    ) // {
+      "buildbot/ldap" = {
          permissions = "0600";
          user = "buildbot";
          group = "buildbot";
          text = config.myEnv.buildbot.ldap.password;
-        dest = "buildbot/ldap";
-      }
-      {
+      };
+      "buildbot/worker_password" = {
          permissions = "0600";
          user = "buildbot";
          group = "buildbot";
          text = config.myEnv.buildbot.workerPassword;
-        dest = "buildbot/worker_password";
-      }
-      {
+      };
+      "buildbot/ssh_key" = {
          permissions = "0600";
          user = "buildbot";
          group = "buildbot";
          text = config.myEnv.buildbot.ssh_key.private;
-        dest = "buildbot/ssh_key";
-      }
-    ];
+      };
+    };
  
      services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
        restart = true;
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix

index 75ea747147896437ad6480a2159a52a0e19f31e6..101eb3fb7c850157b9b31786199d4a4084543cb5 100644 (file)
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -121,9 +121,8 @@ in {
        '';
      };
  
-    secrets.keys = [
-      {
-        dest = "mysql/mysqldump";
+    secrets.keys = {
+      "mysql/mysqldump" = {
          permissions = "0400";
          user = "root";
          group = "root";
@@ -132,9 +131,8 @@ in {
            user = root
            password = ${cfg.credentials.root}
          '';
-      }
-      {
-        dest = "mysql/pam";
+      };
+      "mysql/pam" = {
          permissions = "0400";
          user = "mysql";
          group = "mysql";
@@ -146,9 +144,8 @@ in {
            pam_filter ${filter}
            ssl start_tls
          '';
-      }
-      {
-        dest = "mysql/pam_replication";
+      };
+      "mysql/pam_replication" = {
          permissions = "0400";
          user = "mysql";
          group = "mysql";
@@ -160,8 +157,8 @@ in {
            pam_login_attribute cn
            ssl start_tls
          '';
-      }
-    ];
+      };
+    };
  
      security.pam.services = let
        pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix

index e857c416d1d6ba638b7dd3148246eb6958ef2183..68e6f7fdd809590e503d35d7e4793539b9d695a2 100644 (file)
--- a/modules/private/databases/mariadb_replication.nix
+++ b/modules/private/databases/mariadb_replication.nix
@@ -81,9 +81,8 @@ in
      };
      users.groups.mysql.gid = config.ids.gids.mysql;
  
-    secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [
-      {
-        dest = "mysql_replication/${name}/slave_init_commands";
+    secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
+      (lib.nameValuePair "mysql_replication/${name}/slave_init_commands" {
          user = "mysql";
          group = "mysql";
          permissions = "0400";
@@ -91,9 +90,8 @@ in
            CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos;
            START SLAVE;
            '';
-      }
-      {
-        dest = "mysql_replication/${name}/mysqldump_remote";
+      })
+      (lib.nameValuePair "mysql_replication/${name}/mysqldump_remote" {
          permissions = "0400";
          user = "root";
          group = "root";
@@ -102,9 +100,8 @@ in
            user = ${hcfg.user}
            password = ${hcfg.password}
          '';
-      }
-      {
-        dest = "mysql_replication/${name}/mysqldump";
+      })
+      (lib.nameValuePair "mysql_replication/${name}/mysqldump" {
          permissions = "0400";
          user = "root";
          group = "root";
@@ -113,9 +110,8 @@ in
            user = ${hcfg.dumpUser}
            password = ${hcfg.dumpPassword}
          '';
-      }
-      {
-        dest = "mysql_replication/${name}/client";
+      })
+      (lib.nameValuePair "mysql_replication/${name}/client" {
          permissions = "0400";
          user = "mysql";
          group = "mysql";
@@ -124,8 +120,8 @@ in
            user = ${hcfg.dumpUser}
            password = ${hcfg.dumpPassword}
          '';
-      }
-    ]) cfg.hosts);
+      })
+    ]) cfg.hosts));
  
      services.cron = {
        enable = true;
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix

index f4851b5f885a09d3d98ff6994526619b873f2897..d35aca08de4a51858ea979ba33d961145e078121 100644 (file)
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -85,29 +85,26 @@ in
    };
  
    config = lib.mkIf cfg.enable {
-    secrets.keys = [
-       {
-        dest = "ldap/password";
+    secrets.keys = {
+       "ldap/password" = {
          permissions = "0400";
          user = "openldap";
          group = "openldap";
          text = "rootpw          ${cfg.rootPw}";
-      }
-      {
-        dest = "ldap/access";
+      };
+      "ldap/access" = {
          permissions = "0400";
          user = "openldap";
          group = "openldap";
          text = builtins.readFile cfg.accessFile;
-      }
-      {
-        dest = "ldap";
+      };
+      "ldap" = {
          permissions = "0500";
          user = "openldap";
          group = "openldap";
          isDir = true;
-      }
-    ];
+      };
+    };
      users.users.openldap.extraGroups = [ "keys" ];
      networking.firewall.allowedTCPPorts = [ 636 389 ];
  
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix

index 350eecfc2a02a41de3d02b102dc6e72473a4acac..b456323460c2234bb0e6f30ea13f9b719c01eac8 100644 (file)
--- a/modules/private/databases/openldap_replication.nix
+++ b/modules/private/databases/openldap_replication.nix
@@ -87,9 +87,8 @@ in
      };
      users.groups.openldap.gid = config.ids.gids.openldap;
  
-    secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [
-      {
-        dest = "openldap_replication/${name}/replication_config";
+    secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
+      (lib.nameValuePair "openldap_replication/${name}/replication_config" {
          user = "openldap";
          group = "openldap";
          permissions = "0400";
@@ -105,15 +104,14 @@ in
                    binddn="${hcfg.dn}"
                    credentials="${hcfg.password}"
            '';
-      }
-      {
-        dest = "openldap_replication/${name}/replication_password";
+      })
+      (lib.nameValuePair "openldap_replication/${name}/replication_password" {
          user = "openldap";
          group = "openldap";
          permissions = "0400";
          text = hcfg.password;
-      }
-    ]) cfg.hosts);
+      })
+    ]) cfg.hosts));
  
      services.cron = {
        enable = true;
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix

index e73bf69eb7f78b5c73e6d2727b10fc8818ce0735..a6c4cc998fdb138ccf53671992a916794b6eff95 100644 (file)
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -178,9 +178,8 @@ in {
        '';
      };
  
-    secrets.keys = [
-      {
-        dest = "postgresql/pam";
+    secrets.keys = {
+      "postgresql/pam" = {
          permissions = "0400";
          group = "postgres";
          user = "postgres";
@@ -192,9 +191,8 @@ in {
            pam_filter ${filter}
            ssl start_tls
          '';
-      }
-      {
-        dest = "postgresql/pam_replication";
+      };
+      "postgresql/pam_replication" = {
          permissions = "0400";
          group = "postgres";
          user = "postgres";
@@ -206,8 +204,8 @@ in {
            pam_login_attribute cn
            ssl start_tls
          '';
-      }
-    ];
+      };
+    };
  
      security.pam.services = let
        pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
diff --git a/modules/private/databases/postgresql_replication.nix b/modules/private/databases/postgresql_replication.nix

index b103b8c0e965d10b6d26201cf0fd662f2799adf7..135bbed0d90bfbc9cd239727ab3ddbfc5a88e649 100644 (file)
--- a/modules/private/databases/postgresql_replication.nix
+++ b/modules/private/databases/postgresql_replication.nix
@@ -62,9 +62,8 @@ in
      users.groups.postgres.gid = config.ids.gids.postgres;
      environment.systemPackages = [ cfg.mainPackage ];
  
-    secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [
-      {
-        dest = "postgresql_replication/${name}/recovery.conf";
+    secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
+      (lib.nameValuePair "postgresql_replication/${name}/recovery.conf" {
          user = "postgres";
          group = "postgres";
          permissions = "0400";
@@ -73,16 +72,14 @@ in
            primary_conninfo = '${hcfg.connection}?sslmode=require'
            primary_slot_name = '${hcfg.slot}'
            '';
-      }
-      {
-        dest = "postgresql_replication/${name}/connection_string";
+      })
+      (lib.nameValuePair "postgresql_replication/${name}/connection_string" {
          user = "postgres";
          group = "postgres";
          permissions = "0400";
          text = hcfg.connection;
-      }
-      {
-        dest = "postgresql_replication/${name}/postgresql.conf";
+      })
+      (lib.nameValuePair "postgresql_replication/${name}/postgresql.conf" {
          user = "postgres";
          group = "postgres";
          permissions = "0400";
@@ -94,8 +91,8 @@ in
            data_directory = '${dataDir}'
            wal_level = logical
            '';
-      }
-    ]) cfg.hosts);
+      })
+    ]) cfg.hosts));
  
      services.cron = {
        enable = true;
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix

index 5c5b8b032dac4ba58a907204d3c3967538e4ea15..685fa464cf60efdb7f7ef64a1e9008c4590cd769 100644 (file)
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -74,9 +74,8 @@ in {
      };
  
      networking.firewall.allowedTCPPorts = [ 7617 16379 ];
-    secrets.keys = [
-      {
-        dest = "redis/predixy.conf";
+    secrets.keys = {
+      "redis/predixy.conf" = {
          user = "redis";
          group = "redis";
          permissions = "0400";
@@ -100,15 +99,14 @@ in {
              }
            }
            '';
-      }
-      {
-        dest = "redis/spiped_keyfile";
+      };
+      "redis/spiped_keyfile" = {
          user = "spiped";
          group = "spiped";
          permissions = "0400";
          text = config.myEnv.databases.redis.spiped_key;
-      }
-    ];
+      };
+    };
  
      systemd.slices.redis = {
        description = "Redis slice";
diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix

index 3caa7e95af413fac62b330428fd8c7a1a500657c..9e48939ecf0a938bcfa35f924b071217fea8c8fa 100644 (file)
--- a/modules/private/databases/redis_replication.nix
+++ b/modules/private/databases/redis_replication.nix
@@ -68,9 +68,8 @@ in
        };
      };
  
-    secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [
-      {
-        dest = "redis_replication/${name}/config";
+    secrets.keys = lib.mapAttrs' (name: hcfg:
+      lib.nameValuePair "redis_replication/${name}/config" {
          user = "redis";
          group = "redis";
          permissions = "0400";
@@ -97,15 +96,14 @@ in
            maxclients 1024
            '';
        }
-    ]) cfg.hosts) ++ [
-      { # For eldiron only
-        dest = "redis/spiped_eldiron_keyfile";
+    ) cfg.hosts // {
+      "redis/spiped_eldiron_keyfile" = { # For eldiron only
          user = "spiped";
          group = "spiped";
          permissions = "0400";
          text = config.myEnv.databases.redis.spiped_key;
-      }
-    ];
+      };
+    };
  
      services.cron = {
        enable = true;
diff --git a/modules/private/dns.nix b/modules/private/dns.nix

index 32c52a9f8575673fe7b4e0ef6428d71f5bce5512..1d7fd52fb3fe6e11d27ea801da4f0518ee719069 100644 (file)
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -87,9 +87,8 @@
      networking.firewall.allowedUDPPorts = [ 53 ];
      networking.firewall.allowedTCPPorts = [ 53 ];
      users.users.named.extraGroups = [ "keys" ];
-    secrets.keys = lib.mapAttrsToList (k: v:
-      {
-        dest = "bind/${k}.key";
+    secrets.keys = lib.mapAttrs' (k: v:
+      lib.nameValuePair "bind/${k}.key" {
          permissions = "0400";
          user = "named";
          text = ''
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix

index d051d790fd43c3a092ab9da56c3177d0fbce8972..4d86a648ada0d460d4e56670d1bd8ef3aaac3904 100644 (file)
--- a/modules/private/ejabberd/default.nix
+++ b/modules/private/ejabberd/default.nix
@@ -37,9 +37,8 @@ in
      systemd.services.ejabberd.postStop = ''
        rm /var/log/ejabberd/erl_crash*.dump
        '';
-    secrets.keys = [
-      {
-        dest = "ejabberd/psql.yml";
+    secrets.keys = {
+      "ejabberd/psql.yml" = {
          permissions = "0400";
          user = "ejabberd";
          group = "ejabberd";
@@ -50,9 +49,8 @@ in
            sql_username: "${config.myEnv.jabber.postgresql.user}"
            sql_password: "${config.myEnv.jabber.postgresql.password}"
            '';
-      }
-      {
-        dest = "ejabberd/host.yml";
+      };
+      "ejabberd/host.yml" = {
          permissions = "0400";
          user = "ejabberd";
          group = "ejabberd";
@@ -71,8 +69,8 @@ in
                  immaeXmppUid: "%u"
                ldap_filter: "${config.myEnv.jabber.ldap.filter}"
            '';
-      }
-    ];
+      };
+    };
      users.users.ejabberd.extraGroups = [ "keys" ];
      services.ejabberd = {
        package = pkgs.ejabberd.override { withPgsql = true; };
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix

index 07db0f4b129bc0832acb1fc0ad63d80f50492165..142819870b5f17bce2f5630e2a40445d05d2eab7 100644 (file)
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -47,8 +47,7 @@ in
        install -m 0755 -o ftp -g ftp -d /var/lib/ftp
        '';
  
-    secrets.keys = [{
-      dest = "pure-ftpd-ldap";
+    secrets.keys."pure-ftpd-ldap" = {
        permissions = "0400";
        user = "ftp";
        group = "ftp";
@@ -71,7 +70,7 @@ in
          # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
          LDAPHomeDir         immaeFtpDirectory
          '';
-    }];
+    };
  
      services.filesWatcher.pure-ftpd = {
        restart = true;
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix

index 0fb1a999bf6af0c0e0d1be9b6a8f3c5411d8f664..20d2cd5f32441244c7dabb3c1fb763965b6e7d78 100644 (file)
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -21,13 +21,12 @@ in {
      };
      networking.firewall.allowedTCPPorts = [ 9418 ];
  
-    secrets.keys = [{
-      dest = "gitolite/ldap_password";
+    secrets.keys."gitolite/ldap_password" = {
        user = "gitolite";
        group = "gitolite";
        permissions = "0400";
        text = config.myEnv.tools.gitolite.ldap.password;
-    }];
+    };
  
      services.gitDaemon = {
        enable = true;
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix

index 23e795f78bbad7a7d082e56ef2274f81b89a063b..0ef3467ad66ad607ad1254cde8610e07a2dc2ed5 100644 (file)
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -18,36 +18,33 @@ in
        + /var/lib/dhparams
        + /var/lib/dovecot
        '';
-    secrets.keys = [
-      {
-        dest = "dovecot/ldap";
-        user = config.services.dovecot2.user;
-        group = config.services.dovecot2.group;
-        permissions = "0400";
-        text = ''
-          hosts = ${config.myEnv.mail.dovecot.ldap.host}
-          tls = yes
+    secrets.keys."dovecot/ldap" = {
+      user = config.services.dovecot2.user;
+      group = config.services.dovecot2.group;
+      permissions = "0400";
+      text = ''
+        hosts = ${config.myEnv.mail.dovecot.ldap.host}
+        tls = yes
  
-          dn = ${config.myEnv.mail.dovecot.ldap.dn}
-          dnpass = ${config.myEnv.mail.dovecot.ldap.password}
+        dn = ${config.myEnv.mail.dovecot.ldap.dn}
+        dnpass = ${config.myEnv.mail.dovecot.ldap.password}
  
-          auth_bind = yes
+        auth_bind = yes
  
-          ldap_version = 3
+        ldap_version = 3
  
-          base = ${config.myEnv.mail.dovecot.ldap.base}
-          scope = subtree
+        base = ${config.myEnv.mail.dovecot.ldap.base}
+        scope = subtree
  
-          pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
-          pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
+        pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
+        pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
  
-          user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
-          user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
-          iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
-          iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
-          '';
-      }
-    ];
+        user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
+        user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
+        iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
+        iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
+        '';
+    };
  
      users.users.vhost = {
        group = "vhost";
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix

index 172e216069e5142db5f46d0f746847cd731d35d0..4b93a7aea78847d9a575dd2ad912fef061b2fa0c 100644 (file)
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -17,30 +17,27 @@
        '';
    };
    config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
-    secrets.keys = [
-      {
-        dest = "opendkim";
+    secrets.keys = {
+      "opendkim" = {
          isDir = true;
          user = config.services.opendkim.user;
          group = config.services.opendkim.group;
          permissions = "0550";
-      }
-      {
-        dest = "opendkim/eldiron.private";
+      };
+      "opendkim/eldiron.private" = {
          user = config.services.opendkim.user;
          group = config.services.opendkim.group;
          permissions = "0400";
          text = config.myEnv.mail.dkim.eldiron.private;
-      }
-      {
-        dest = "opendkim/eldiron.txt";
+      };
+      "opendkim/eldiron.txt" = {
          user = config.services.opendkim.user;
          group = config.services.opendkim.group;
          permissions = "0444";
          text = ''
            eldiron._domainkey   IN      TXT     ${config.myEnv.mail.dkim.eldiron.public}'';
-      }
-    ];
+      };
+    };
      users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
      services.opendkim = {
        enable = true;
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix

index a7be066f4f95bf780501fab39f53250dc84d96e3..e05bba98a3cf458652ef23ebcbd299675d361686 100644 (file)
--- a/modules/private/mail/opensmtpd.nix
+++ b/modules/private/mail/opensmtpd.nix
@@ -1,17 +1,14 @@
  { lib, pkgs, config, name, ... }:
  {
    config = lib.mkIf config.myServices.mailRelay.enable {
-    secrets.keys = [
-      {
-        dest = "opensmtpd/creds";
-        user = "smtpd";
-        group = "smtpd";
-        permissions = "0400";
-        text = ''
-          eldiron    ${name}:${config.hostEnv.ldap.password}
-          '';
-      }
-    ];
+    secrets.keys."opensmtpd/creds" = {
+      user = "smtpd";
+      group = "smtpd";
+      permissions = "0400";
+      text = ''
+        eldiron    ${name}:${config.hostEnv.ldap.password}
+        '';
+    };
      users.users.smtpd.extraGroups = [ "keys" ];
      services.opensmtpd = {
        enable = true;
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix

index de5e59d71d41b7d91016057102642f69d7d9b7f7..054b93effc5665f76ab072032aa055093cf4abfb 100644 (file)
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -4,9 +4,8 @@
      services.duplyBackup.profiles.mail.excludeFile = ''
        + /var/lib/postfix
        '';
-    secrets.keys = [
-      {
-        dest = "postfix/mysql_alias_maps";
+    secrets.keys = {
+      "postfix/mysql_alias_maps" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -32,9 +31,8 @@
                FROM forwardings_blacklisted
                WHERE source = '%s'
            '';
-      }
-      {
-        dest = "postfix/ldap_mailboxes";
+      };
+      "postfix/ldap_mailboxes" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -48,9 +46,8 @@
            result_format = dummy
            version = 3
          '';
-      }
-      {
-        dest = "postfix/mysql_sender_login_maps";
+      };
+      "postfix/mysql_sender_login_maps" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -72,9 +69,8 @@
                AND active = 1
              UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
            '';
-      }
-      {
-        dest = "postfix/mysql_sender_relays_maps";
+      };
+      "postfix/mysql_sender_relays_maps" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -102,9 +98,8 @@
                ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
                AND active = 1
            '';
-      }
-      {
-        dest = "postfix/mysql_sender_relays_hosts";
+      };
+      "postfix/mysql_sender_relays_hosts" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -122,9 +117,8 @@
                ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
                AND active = 1
            '';
-      }
-      {
-        dest = "postfix/mysql_sender_relays_creds";
+      };
+      "postfix/mysql_sender_relays_creds" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -142,9 +136,8 @@
                ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
                AND active = 1
            '';
-      }
-      {
-        dest = "postfix/ldap_ejabberd_users_immae_fr";
+      };
+      "postfix/ldap_ejabberd_users_immae_fr" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -159,14 +152,13 @@
            result_format = ejabberd@localhost
            version = 3
            '';
-      }
-    ] ++ (lib.mapAttrsToList (name: v: {
-      dest = "postfix/scripts/${name}-env";
+      };
+    } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
        user = "postfixscripts";
        group = "root";
        permissions = "0400";
        text = builtins.toJSON v.env;
-    }) config.myEnv.mail.scripts);
+    }) config.myEnv.mail.scripts;
  
      networking.firewall.allowedTCPPorts = [ 25 465 587 ];
  
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix

index 651452c3e2b79d37c1032c05515cfdf07759ed5d..668d3659a919db2edd6da4e44da8642e42707154 100644 (file)
--- a/modules/private/mail/relay.nix
+++ b/modules/private/mail/relay.nix
@@ -13,9 +13,8 @@
          mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx;
        in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
      };
-    secrets.keys = [
-      {
-        dest = "postfix/mysql_alias_maps";
+    secrets.keys = {
+      "postfix/mysql_alias_maps" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -41,9 +40,8 @@
                FROM forwardings_blacklisted
                WHERE source = '%s'
            '';
-      }
-      {
-        dest = "postfix/ldap_mailboxes";
+      };
+      "postfix/ldap_mailboxes" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -57,9 +55,8 @@
            result_format = dummy
            version = 3
          '';
-      }
-      {
-        dest = "postfix/sympa_mailbox_maps";
+      };
+      "postfix/sympa_mailbox_maps" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -82,9 +79,8 @@
                CONCAT('abuse-feedback-report@', robot_list)
              )
          '';
-      }
-      {
-        dest = "postfix/ldap_ejabberd_users_immae_fr";
+      };
+      "postfix/ldap_ejabberd_users_immae_fr" = {
          user = config.services.postfix.user;
          group = config.services.postfix.group;
          permissions = "0440";
@@ -99,8 +95,8 @@
            result_format = ejabberd@localhost
            version = 3
            '';
-      }
-    ];
+      };
+    };
  
      networking.firewall.allowedTCPPorts = [ 25 ];
  
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix

index 5270b693f72bed7cdde29ed611bef20b8bd250f7..920daa985e11bb2f1b56d163c9e7c874f6ef6b4c 100644 (file)
--- a/modules/private/mail/sympa.nix
+++ b/modules/private/mail/sympa.nix
@@ -34,20 +34,19 @@ in
        ];
      };
  
-    secrets.keys = [
-      {
-        dest = "sympa/db_password";
+    secrets.keys = {
+      "sympa/db_password" = {
          permissions = "0400";
          group = "sympa";
          user = "sympa";
          text = sympaConfig.postgresql.password;
-      }
-    ]
-    ++ lib.mapAttrsToList (n: v: {
-      dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
+      };
+    }
+    // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
+      permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
      }) sympaConfig.data_sources
-    ++ lib.mapAttrsToList (n: v: {
-      dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
+    // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
+      permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
      }) sympaConfig.scenari;
      users.users.sympa.extraGroups = [ "keys" ];
      systemd.slices.mail-sympa = {
diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix

index cab9e7cb7b7b83fc4ba6ebb29ab2cefc6fe1afbd..bdb5c93183d67bd4fa05e1b8cb10f3ceeaf27e09 100644 (file)
--- a/modules/private/monitoring/default.nix
+++ b/modules/private/monitoring/default.nix
@@ -199,18 +199,15 @@ in
        text = "MAILADDR ${config.myEnv.monitoring.email}";
      };
  
-    secrets.keys = [
-      {
-        dest = "naemon/id_rsa";
+    secrets.keys = {
+      "naemon/id_rsa" = {
          user = "naemon";
          group = "naemon";
          permissions = "0400";
          text = config.myEnv.monitoring.ssh_secret_key;
-      }
-    ] ++ lib.optionals cfg.master (
-      lib.mapAttrsToList (k: v:
-      {
-        dest = "${k}_access_key";
+      };
+    } // lib.optionalAttrs cfg.master (
+      lib.mapAttrs' (k: v: lib.nameValuePair "${k}_access_key" {
          user = "naemon";
          group = "naemon";
          permissions = "0400";
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix

index 73f474926f5de1f147d99ecc382c6cfaec0f5cbf..ab0290c3909fc2eed700287906b5c6decbd4e6e3 100644 (file)
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -12,17 +12,14 @@
      };
    };
    config = lib.mkIf config.myServices.status.enable {
-    secrets.keys = [
-      {
-        dest = "naemon-status/environment";
-        user = "naemon";
-        group = "naemon";
-        permission = "0400";
-        text = ''
-          TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens}
-          '';
-      }
-    ];
+    secrets.keys."naemon-status/environment" = {
+      user = "naemon";
+      group = "naemon";
+      permissions = "0400";
+      text = ''
+        TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens}
+        '';
+    };
      services.nginx = {
        enable = true;
        recommendedOptimisation = true;
diff --git a/modules/private/monitoring/status_engine.nix b/modules/private/monitoring/status_engine.nix

index 8192a9db772e7ebcd805f83980912457f712753c..39a753ad0905dd789b8981716868962dd2c3db3d 100644 (file)
--- a/modules/private/monitoring/status_engine.nix
+++ b/modules/private/monitoring/status_engine.nix
@@ -19,8 +19,7 @@ in
        };
      };
  
-    secrets.keys = [{
-      dest = "status_engine";
+    secrets.keys."status_engine" = {
        permissions = "0400";
        user = "naemon";
        group = "naemon";
@@ -87,7 +86,7 @@ in
  
          disable_http_proxy: 1
        '';
-    }];
+    };
  
      services.redis = rec {
        enable = true;
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix

index f2e87bb8006c1152fec3f6f6583fba251e7e69ed..7fa8fe9d09a62b73691729ad7ca8f2f5269f2e23 100644 (file)
--- a/modules/private/mpd.nix
+++ b/modules/private/mpd.nix
@@ -5,22 +5,20 @@
      services.duplyBackup.profiles.mpd = {
        rootDir = "/var/lib/mpd";
      };
-    secrets.keys = [
-      {
-        dest = "mpd";
+    secrets.keys = {
+      "mpd" = {
          permissions = "0400";
          text = config.myEnv.mpd.password;
-      }
-      {
-        dest = "mpd-config";
+      };
+      "mpd-config" = {
          permissions = "0400";
          user = "mpd";
          group = "mpd";
          text = ''
            password "${config.myEnv.mpd.password}@read,add,control,admin"
          '';
-      }
-    ];
+      };
+    };
      networking.firewall.allowedTCPPorts = [ 6600 ];
      users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
      systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix

index ca9b6fc34d525fb3258788a107c60c729cb9ed3a..ee5dda5c4eb32072ca03ca1df421dd918c223777 100644 (file)
--- a/modules/private/ssh/default.nix
+++ b/modules/private/ssh/default.nix
@@ -51,13 +51,12 @@ in
        AuthorizedKeysCommandUser nobody
        '';
  
-    secrets.keys = [{
-      dest = "ssh-ldap";
+    secrets.keys."ssh-ldap" = {
        user = "nobody";
        group = "nogroup";
        permissions = "0400";
        text = config.myEnv.sshd.ldap.password;
-    }];
+    };
      system.activationScripts.sshd = {
        deps = [ "secrets" ];
        text = ''
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix

index 181f45598e9ce8766c7daaff12414f63d7667e02..c01a666b7deea692a212ca5cd8ef16fc1c544aea 100644 (file)
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -7,22 +7,20 @@
    };
    # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age
    secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ];
-  secrets.keys = [
-    {
-      dest = "rsync_backup/identity";
+  secrets.keys = {
+    "rsync_backup/identity" = {
        user = "backup";
        group = "backup";
        permissions = "0400";
        text = config.myEnv.rsync_backup.ssh_key.private;
-    }
-    {
-      dest = "rsync_backup/identity.pub";
+    };
+    "rsync_backup/identity.pub" = {
        user = "backup";
        group = "backup";
        permissions = "0444";
        text = config.myEnv.rsync_backup.ssh_key.public;
-    }
-  ];
+    };
+  };
    boot.kernelPackages = pkgs.linuxPackages_latest;
    myEnv = import ../../../nixops/secrets/environment.nix;
  
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix

index 0830f185e3edf41a8156336f81d9330e8d7b1696..2c339a52888aac150ce1f9908dfae60ad3e3e196 100644 (file)
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -126,9 +126,8 @@
    services.netdata.config.web.mode = "none";
    users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
    environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
-  secrets.keys = [
-    {
-      dest = "netdata-stream.conf";
+  secrets.keys = {
+    "netdata-stream.conf" = {
        user = config.services.netdata.user;
        group = config.services.netdata.group;
        permissions = "0400";
@@ -138,15 +137,14 @@
              destination = ${config.myEnv.monitoring.netdata_aggregator}
              api key = ${config.myEnv.monitoring.netdata_keys.eldiron}
        '';
-    }
-    {
-      dest = "zrepl_backup/identity";
+    };
+    "zrepl_backup/identity" = {
        user = "root";
        group = "root";
        permissions = "0400";
        text = config.myEnv.zrepl_backup.ssh_key.private;
-    }
-  ];
+    };
+  };
    programs.ssh.knownHosts.dilion = {
      hostNames = ["dilion.immae.eu"];
      publicKey = let
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix

index 91d30fdbb7b31111924d89826e8db80c2ebdf11e..dea5f45993daf1f31e896172933c7ba214e89bdf 100644 (file)
--- a/modules/private/system/monitoring-1.nix
+++ b/modules/private/system/monitoring-1.nix
@@ -45,9 +45,8 @@
    networking.firewall.allowedTCPPorts = [ 19999 ];
    environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
  
-  secrets.keys = [
-    {
-      dest = "netdata-stream.conf";
+  secrets.keys = {
+    "netdata-stream.conf" = {
        user = config.services.netdata.user;
        group = config.services.netdata.group;
        permissions = "0400";
@@ -58,8 +57,8 @@
              default memory = ram
              health enabled by default = auto
        '') config.myEnv.monitoring.netdata_keys);
-    }
-  ];
+    };
+  };
    users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
    # This value determines the NixOS release with which your system is
    # to be compatible, in order to avoid breaking some software such as
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix

index 491e215eb180e18d7925dc84245e090203ca338e..82db70ff0d1c7a97e50e7b98b779625b98aad8d8 100644 (file)
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -254,14 +254,12 @@ in
      '';
    };
  
-  secrets.keys = [
-    {
-      dest = "ldap/sync_password";
+  secrets.keys = {
+    "ldap/sync_password" = {
        permissions = "0400";
        text = serverSpecificConfig.ldap_sync_password;
-    }
-    {
-      dest = "ldap/ldaptree.ldif";
+    };
+    "ldap/ldaptree.ldif" = {
        permissions = "0400";
        text = serverSpecificConfig.ldap_service_users
          + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
@@ -272,8 +270,8 @@ in
          sn: ${n}
          uid: ${n}
        '') normalUsers));
-    }
-  ];
+    };
+  };
  
    myServices.monitoring.enable = true;
    myServices.certificates.enable = true;
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix

index 68ce27424f5279c81f00ec678f2865cb9f59b210..f7b27e0911bcf342c1f24b89321ddfabe054de61 100644 (file)
--- a/modules/private/system/quatresaisons/databases.nix
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -9,16 +9,14 @@
      services.postgresql.ensureUsers = [
        { name = "naemon"; }
      ];
-    secrets.keys = [
-      {
-        dest = "ldap/password";
+    secrets.keys = {
+      "ldap/password" = {
          permissions = "0400";
          user = "openldap";
          group = "openldap";
          text = "rootpw      ${serverSpecificConfig.ldap_root_pw}";
-      }
-      {
-        dest = "webapps/tools-ldap";
+      };
+      "webapps/tools-ldap" = {
          user = "wwwrun";
          group = "wwwrun";
          permissions = "0400";
@@ -42,8 +40,8 @@
            $servers->setValue('login','attr','uid');
            $servers->setValue('login','fallback_dn',true);
          '';
-      }
-    ];
+      };
+    };
  
      users.users.openldap.extraGroups = [ "keys" ];
      services.openldap = {
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix

index b3f1b7bb4c86ccc238e3097503ea92be5d544b30..ac2aa2184074baf8f76f60e52820da7076241c9b 100644 (file)
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -95,9 +95,8 @@ in {
          '';
      };
  
-    secrets.keys = [
-      {
-        dest = "webapps/tools-taskwarrior-web";
+    secrets.keys = {
+      "webapps/tools-taskwarrior-web" = {
          user = "wwwrun";
          group = "wwwrun";
          permissions = "0400";
@@ -110,9 +109,8 @@ in {
              SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
              SetEnv TASKD_LDAP_FILTER   "${env.ldap.filter}"
            '';
-      }
-    ] ++ (lib.mapAttrsToList (name: userConfig: {
-      dest = "webapps/tools-taskwarrior/${name}-taskrc";
+      };
+    } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" {
        inherit user group;
        permissions = "0400";
        text = let
diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix

index a9051afeed3cee193f13f04907846fe50fe22405..d4b197d2e9fc3bb33ebd4697788941bb3660c0c6 100644 (file)
--- a/modules/private/vpn/default.nix
+++ b/modules/private/vpn/default.nix
@@ -8,22 +8,20 @@ in
    };
  
    config = lib.mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "tinc/key.priv";
+    secrets.keys = {
+      "tinc/key.priv" = {
          user = "root";
          group = "root";
          permissions = "0400";
          text = config.myEnv.vpn.eldiron.privateKey;
-      }
-      {
-        dest = "tinc/key.pub";
+      };
+      "tinc/key.pub" = {
          user = "root";
          group = "root";
          permissions = "0400";
          text = config.myEnv.vpn.eldiron.publicKey;
-      }
-    ];
+      };
+    };
      networking.firewall.allowedTCPPorts = [ 655 1194 ];
      system.activationScripts.tinc = let
        configFiles = pkgs.runCommand "tinc-files" {
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix

index ffae6ecd703c11a7dad783cf40125835157d6b0a..c4b79f87b737e8ef2db1f9251a8a169bf0d7ee10 100644 (file)
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -15,29 +15,26 @@ in {
  
    config = lib.mkIf cfg.enable {
      services.duplyBackup.profiles.chloe_integration.rootDir = app.varDir;
-    secrets.keys = [
-      {
-        dest = "websites/chloe/integration";
-        user = apacheUser;
-        group = apacheGroup;
-        permissions = "0400";
-        text = ''
-          SetEnv SPIP_CONFIG_DIR     "${./config}"
-          SetEnv SPIP_VAR_DIR        "${app.varDir}"
-          SetEnv SPIP_SITE           "chloe-${app.environment}"
-          SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
-          SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
-          SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
-          SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
-          SetEnv SPIP_LDAP_SEARCH    "${ccfg.ldap.filter}"
-          SetEnv SPIP_MYSQL_HOST     "${ccfg.mysql.host}"
-          SetEnv SPIP_MYSQL_PORT     "${ccfg.mysql.port}"
-          SetEnv SPIP_MYSQL_DB       "${ccfg.mysql.database}"
-          SetEnv SPIP_MYSQL_USER     "${ccfg.mysql.user}"
-          SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
-        '';
-      }
-    ];
+    secrets.keys."websites/chloe/integration" = {
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        SetEnv SPIP_CONFIG_DIR     "${./config}"
+        SetEnv SPIP_VAR_DIR        "${app.varDir}"
+        SetEnv SPIP_SITE           "chloe-${app.environment}"
+        SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+        SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+        SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
+        SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
+        SetEnv SPIP_LDAP_SEARCH    "${ccfg.ldap.filter}"
+        SetEnv SPIP_MYSQL_HOST     "${ccfg.mysql.host}"
+        SetEnv SPIP_MYSQL_PORT     "${ccfg.mysql.port}"
+        SetEnv SPIP_MYSQL_DB       "${ccfg.mysql.database}"
+        SetEnv SPIP_MYSQL_USER     "${ccfg.mysql.user}"
+        SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
+      '';
+    };
      systemd.services.phpfpm-chloe_integration.after = lib.mkAfter [ "mysql.service" ];
      systemd.services.phpfpm-chloe_integration.wants = [ "mysql.service" ];
      services.phpfpm.pools.chloe_integration = {
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix

index 7f8f1ded4cba0324ecb0c92615071dfe0004af37..92ae05be304f972ec1c932315c7e6581417d3ae7 100644 (file)
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -16,29 +16,26 @@ in {
    config = lib.mkIf cfg.enable {
      services.duplyBackup.profiles.chloe_production.rootDir = app.varDir;
      services.duplyBackup.profiles.chloe_production.remotes = ["eriomem" "ovh"];
-    secrets.keys = [
-      {
-        dest = "websites/chloe/production";
-        user = apacheUser;
-        group = apacheGroup;
-        permissions = "0400";
-        text = ''
-          SetEnv SPIP_CONFIG_DIR     "${./config}"
-          SetEnv SPIP_VAR_DIR        "${app.varDir}"
-          SetEnv SPIP_SITE           "chloe-${app.environment}"
-          SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
-          SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
-          SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
-          SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
-          SetEnv SPIP_LDAP_SEARCH    "${ccfg.ldap.filter}"
-          SetEnv SPIP_MYSQL_HOST     "${ccfg.mysql.host}"
-          SetEnv SPIP_MYSQL_PORT     "${ccfg.mysql.port}"
-          SetEnv SPIP_MYSQL_DB       "${ccfg.mysql.database}"
-          SetEnv SPIP_MYSQL_USER     "${ccfg.mysql.user}"
-          SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
-        '';
-      }
-    ];
+    secrets.keys."websites/chloe/production" = {
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        SetEnv SPIP_CONFIG_DIR     "${./config}"
+        SetEnv SPIP_VAR_DIR        "${app.varDir}"
+        SetEnv SPIP_SITE           "chloe-${app.environment}"
+        SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+        SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+        SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
+        SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
+        SetEnv SPIP_LDAP_SEARCH    "${ccfg.ldap.filter}"
+        SetEnv SPIP_MYSQL_HOST     "${ccfg.mysql.host}"
+        SetEnv SPIP_MYSQL_PORT     "${ccfg.mysql.port}"
+        SetEnv SPIP_MYSQL_DB       "${ccfg.mysql.database}"
+        SetEnv SPIP_MYSQL_USER     "${ccfg.mysql.user}"
+        SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
+      '';
+    };
      services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
  
      systemd.services.phpfpm-chloe_production.after = lib.mkAfter [ "mysql.service" ];
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix

index f5b1a1602091b5cf2857218b6624c7807b36b35b..1b3587af5a896d4483743ba27c797cb6a075f8c2 100644 (file)
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -47,31 +47,28 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/connexionswing/integration";
-        user = config.services.httpd.Inte.user;
-        group = config.services.httpd.Inte.group;
-        permissions = "0400";
-        text = ''
-          # This file is auto-generated during the composer install
-          parameters:
-              database_host: ${secrets.mysql.host}
-              database_port: ${secrets.mysql.port}
-              database_name: ${secrets.mysql.database}
-              database_user: ${secrets.mysql.user}
-              database_password: ${secrets.mysql.password}
-              database_server_version: ${pkgs.mariadb.mysqlVersion}
-              mailer_transport: sendmail
-              mailer_host: null
-              mailer_user: null
-              mailer_password: null
-              subscription_email: ${secrets.email}
-              allow_robots: true
-              secret: ${secrets.secret}
-        '';
-      }
-    ];
+    secrets.keys."websites/connexionswing/integration" = {
+      user = config.services.httpd.Inte.user;
+      group = config.services.httpd.Inte.group;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_host: ${secrets.mysql.host}
+            database_port: ${secrets.mysql.port}
+            database_name: ${secrets.mysql.database}
+            database_user: ${secrets.mysql.user}
+            database_password: ${secrets.mysql.password}
+            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            mailer_transport: sendmail
+            mailer_host: null
+            mailer_user: null
+            mailer_password: null
+            subscription_email: ${secrets.email}
+            allow_robots: true
+            secret: ${secrets.secret}
+      '';
+    };
  
      services.websites.env.integration.vhostConfs.connexionswing_integration = {
        certName    = "integration";
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix

index f6a059db215c46045ee48b732fe737e46d46eb45..981e95e45312dbb3dc5143b753eea48288706442 100644 (file)
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -48,35 +48,32 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/connexionswing/production";
-        user = config.services.httpd.Prod.user;
-        group = config.services.httpd.Prod.group;
-        permissions = "0400";
-        text = ''
-          # This file is auto-generated during the composer install
-          parameters:
-              database_host: ${secrets.mysql.host}
-              database_port: ${secrets.mysql.port}
-              database_name: ${secrets.mysql.database}
-              database_user: ${secrets.mysql.user}
-              database_password: ${secrets.mysql.password}
-              database_server_version: ${pkgs.mariadb.mysqlVersion}
-              mailer_transport: sendmail
-              mailer_host: null
-              mailer_user: null
-              mailer_password: null
-              subscription_email: ${secrets.email}
-              allow_robots: true
-              secret: ${secrets.secret}
-          services:
-            swiftmailer.mailer.default.transport:
-                class:     Swift_SendmailTransport
-                arguments: ['/run/wrappers/bin/sendmail -bs']
-        '';
-      }
-    ];
+    secrets.keys."websites/connexionswing/production" = {
+      user = config.services.httpd.Prod.user;
+      group = config.services.httpd.Prod.group;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_host: ${secrets.mysql.host}
+            database_port: ${secrets.mysql.port}
+            database_name: ${secrets.mysql.database}
+            database_user: ${secrets.mysql.user}
+            database_password: ${secrets.mysql.password}
+            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            mailer_transport: sendmail
+            mailer_host: null
+            mailer_user: null
+            mailer_password: null
+            subscription_email: ${secrets.email}
+            allow_robots: true
+            secret: ${secrets.secret}
+        services:
+          swiftmailer.mailer.default.transport:
+              class:     Swift_SendmailTransport
+              arguments: ['/run/wrappers/bin/sendmail -bs']
+      '';
+    };
  
      services.websites.env.production.vhostConfs.connexionswing_production = {
        certName     = "connexionswing";
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix

index 8fb6a4d3054ba3cdd3b7592edb8fc76b772a1b4c..e8193242b08e2c3980de7d0c026361051656b62a 100644 (file)
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -109,8 +109,7 @@ in
      users.users.wwwrun.extraGroups = [ "keys" ];
      networking.firewall.allowedTCPPorts = [ 80 443 ];
  
-    secrets.keys = [{
-      dest = "apache-ldap";
+    secrets.keys."apache-ldap" = {
        user = "wwwrun";
        group = "wwwrun";
        permissions = "0400";
@@ -126,7 +125,7 @@ in
            </IfModule>
          </Macro>
          '';
-    }];
+    };
  
      system.activationScripts = {
        httpd = ''
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix

index 14358d87972a9a95093a52e21a117e54e8de7a9d..87e622a66a6a861b349549a52c1d4f945db49894 100644 (file)
--- a/modules/private/websites/florian/app.nix
+++ b/modules/private/websites/florian/app.nix
@@ -46,18 +46,16 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/florian/app_passwords";
+    secrets.keys = {
+      "websites/florian/app_passwords" = {
          user = config.services.httpd.Inte.user;
          group = config.services.httpd.Inte.group;
          permissions = "0400";
          text = ''
            invite:${secrets.invite_passwords}
          '';
-      }
-      {
-        dest = "websites/florian/app";
+      };
+      "websites/florian/app" = {
          user = config.services.httpd.Inte.user;
          group = config.services.httpd.Inte.group;
          permissions = "0400";
@@ -75,8 +73,8 @@ in {
              mailer_password: null
              secret: ${secrets.secret}
          '';
-      }
-    ];
+      };
+    };
  
      services.websites.env.integration.modules = adminer.apache.modules;
      services.websites.env.integration.vhostConfs.florian_app = {
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix

index 85182834a7bce60deeff6f81ee4e6fd69b21862f..61ed9cf4195fa9d1f6fb4d7593ae040486ef4997 100644 (file)
--- a/modules/private/websites/immae/temp.nix
+++ b/modules/private/websites/immae/temp.nix
@@ -28,24 +28,21 @@ in {
        '' ];
      };
  
-    secrets.keys = [
-      {
-        dest = "webapps/surfer";
-        permissions = "0400";
-        user = "wwwrun";
-        group = "wwwrun";
-        text = ''
-          CLOUDRON_LDAP_URL=ldaps://${env.ldap.host}
-          CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
-          TOKENSTORE_FILE=/var/lib/surfer/tokens.json
-          CLOUDRON_LDAP_BIND_DN=${env.ldap.dn}
-          CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password}
-          CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
-          CLOUDRON_LDAP_FILTER="${env.ldap.filter}"
-          LISTEN=/run/surfer/listen.sock
-        '';
-      }
-    ];
+    secrets.keys."webapps/surfer" = {
+      permissions = "0400";
+      user = "wwwrun";
+      group = "wwwrun";
+      text = ''
+        CLOUDRON_LDAP_URL=ldaps://${env.ldap.host}
+        CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
+        TOKENSTORE_FILE=/var/lib/surfer/tokens.json
+        CLOUDRON_LDAP_BIND_DN=${env.ldap.dn}
+        CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password}
+        CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
+        CLOUDRON_LDAP_FILTER="${env.ldap.filter}"
+        LISTEN=/run/surfer/listen.sock
+      '';
+    };
  
      systemd.services.surfer = {
        description = "Surfer";
diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix

index 6f8f985af6ae77d71d6b1d12ca0be7a9c4d3b412..899ee66983aaa5c979c01904a52136d0e7b15a47 100644 (file)
--- a/modules/private/websites/isabelle/aten_integration.nix
+++ b/modules/private/websites/isabelle/aten_integration.nix
@@ -41,8 +41,7 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [{
-      dest = "websites/isabelle/aten_integration";
+    secrets.keys."websites/isabelle/aten_integration" = {
        user = config.services.httpd.Inte.user;
        group = config.services.httpd.Inte.group;
        permissions = "0400";
@@ -56,7 +55,7 @@ in {
          SetEnv APP_SECRET   "${secrets.secret}"
          SetEnv DATABASE_URL "${psql_url}"
          '';
-    }];
+    };
      services.websites.env.integration.vhostConfs.isabelle_aten_integration = {
        certName    = "integration";
        addToCerts  = true;
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix

index 367171227e052ae1193974fcf0d73a63fcc7eea1..b8d12b94351f779597ab17fda7ca52b8bafa8f16 100644 (file)
--- a/modules/private/websites/isabelle/aten_production.nix
+++ b/modules/private/websites/isabelle/aten_production.nix
@@ -42,8 +42,7 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [{
-      dest = "websites/isabelle/aten_production";
+    secrets.keys."websites/isabelle/aten_production" = {
        user = config.services.httpd.Prod.user;
        group = config.services.httpd.Prod.group;
        permissions = "0400";
@@ -57,7 +56,7 @@ in {
          SetEnv APP_SECRET   "${secrets.secret}"
          SetEnv DATABASE_URL "${psql_url}"
          '';
-    }];
+    };
      services.websites.env.production.vhostConfs.isabelle_aten_production = {
        certName     = "isabelle";
        certMainHost = "aten.pro";
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix

index 14296bf3957aa7ce1d6165c6c82cb27096caef69..decda3628acf5db087e27e9937c5421e206070c1 100644 (file)
--- a/modules/private/websites/isabelle/iridologie.nix
+++ b/modules/private/websites/isabelle/iridologie.nix
@@ -18,29 +18,26 @@ in {
    config = lib.mkIf cfg.enable {
      services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir;
      services.duplyBackup.profiles.isabelle_iridologie.remotes = ["eriomem" "ovh"];
-    secrets.keys = [
-      {
-        dest = "websites/isabelle/iridologie";
-        user = apacheUser;
-        group = apacheGroup;
-        permissions = "0400";
-        text = ''
-          SetEnv SPIP_CONFIG_DIR     "${./config}"
-          SetEnv SPIP_VAR_DIR        "${app.varDir}"
-          SetEnv SPIP_SITE           "iridologie-${app.environment}"
-          SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
-          SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
-          SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}"
-          SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}"
-          SetEnv SPIP_LDAP_SEARCH    "${icfg.ldap.filter}"
-          SetEnv SPIP_MYSQL_HOST     "${icfg.mysql.host}"
-          SetEnv SPIP_MYSQL_PORT     "${icfg.mysql.port}"
-          SetEnv SPIP_MYSQL_DB       "${icfg.mysql.database}"
-          SetEnv SPIP_MYSQL_USER     "${icfg.mysql.user}"
-          SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}"
-        '';
-      }
-    ];
+    secrets.keys."websites/isabelle/iridologie" = {
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        SetEnv SPIP_CONFIG_DIR     "${./config}"
+        SetEnv SPIP_VAR_DIR        "${app.varDir}"
+        SetEnv SPIP_SITE           "iridologie-${app.environment}"
+        SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+        SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+        SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}"
+        SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}"
+        SetEnv SPIP_LDAP_SEARCH    "${icfg.ldap.filter}"
+        SetEnv SPIP_MYSQL_HOST     "${icfg.mysql.host}"
+        SetEnv SPIP_MYSQL_PORT     "${icfg.mysql.port}"
+        SetEnv SPIP_MYSQL_DB       "${icfg.mysql.database}"
+        SetEnv SPIP_MYSQL_USER     "${icfg.mysql.user}"
+        SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}"
+      '';
+    };
      services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ];
  
      systemd.services.phpfpm-isabelle_iridologie.after = lib.mkAfter [ "mysql.service" ];
diff --git a/modules/private/websites/jerome/naturaloutil.nix b/modules/private/websites/jerome/naturaloutil.nix

index 95d7e786b0db96adc22039a4b06d3a5623f60ad9..0974ce3d9fef0c8b6595d4829b6b8ca538a040fc 100644 (file)
--- a/modules/private/websites/jerome/naturaloutil.nix
+++ b/modules/private/websites/jerome/naturaloutil.nix
@@ -15,8 +15,7 @@ in {
  
      security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
  
-    secrets.keys = [{
-      dest = "websites/jerome/naturaloutil";
+    secrets.keys."websites/jerome/naturaloutil" = {
        user = apacheUser;
        group = apacheGroup;
        permissions = "0400";
@@ -35,7 +34,7 @@ in {
          $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
          ?>
        '';
-    }];
+    };
      system.activationScripts.jerome_naturaloutil = {
        deps = [ "httpd" ];
        text = ''
diff --git a/modules/private/websites/ludivine/integration.nix b/modules/private/websites/ludivine/integration.nix

index 4357b93fd51552ca46e06bbfeb90f8fb7f74c143..cfef3857527cc98b3d7f81ecebf53353c61e5a3b 100644 (file)
--- a/modules/private/websites/ludivine/integration.nix
+++ b/modules/private/websites/ludivine/integration.nix
@@ -50,44 +50,41 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/ludivine/integration";
-        user = config.services.httpd.Inte.user;
-        group = config.services.httpd.Inte.group;
-        permissions = "0400";
-        text = ''
-          # This file is auto-generated during the composer install
-          parameters:
-              database_host: ${secrets.mysql.host}
-              database_port: ${secrets.mysql.port}
-              database_name: ${secrets.mysql.database}
-              database_user: ${secrets.mysql.user}
-              database_password: ${secrets.mysql.password}
-              database_server_version: ${pkgs.mariadb.mysqlVersion}
-              mailer_transport: smtp
-              mailer_host: 127.0.0.1
-              mailer_user: null
-              mailer_password: null
-              secret: ${secrets.secret}
-              ldap_host: ldap.immae.eu
-              ldap_port: 636
-              ldap_version: 3
-              ldap_ssl: true
-              ldap_tls: false
-              ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
-              ldap_base_dn: 'dc=immae,dc=eu'
-              ldap_search_dn: '${secrets.ldap.dn}'
-              ldap_search_password: '${secrets.ldap.password}'
-              ldap_search_filter: '${secrets.ldap.filter}'
-          leapt_im:
-              binary_path: ${pkgs.imagemagick}/bin
-          assetic:
-              sass: ${pkgs.sass}/bin/sass
-              ruby: ${pkgs.ruby}/bin/ruby
-        '';
-      }
-    ];
+    secrets.keys."websites/ludivine/integration" = {
+      user = config.services.httpd.Inte.user;
+      group = config.services.httpd.Inte.group;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_host: ${secrets.mysql.host}
+            database_port: ${secrets.mysql.port}
+            database_name: ${secrets.mysql.database}
+            database_user: ${secrets.mysql.user}
+            database_password: ${secrets.mysql.password}
+            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            mailer_transport: smtp
+            mailer_host: 127.0.0.1
+            mailer_user: null
+            mailer_password: null
+            secret: ${secrets.secret}
+            ldap_host: ldap.immae.eu
+            ldap_port: 636
+            ldap_version: 3
+            ldap_ssl: true
+            ldap_tls: false
+            ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
+            ldap_base_dn: 'dc=immae,dc=eu'
+            ldap_search_dn: '${secrets.ldap.dn}'
+            ldap_search_password: '${secrets.ldap.password}'
+            ldap_search_filter: '${secrets.ldap.filter}'
+        leapt_im:
+            binary_path: ${pkgs.imagemagick}/bin
+        assetic:
+            sass: ${pkgs.sass}/bin/sass
+            ruby: ${pkgs.ruby}/bin/ruby
+      '';
+    };
  
      services.websites.env.integration.vhostConfs.ludivine_integration = {
        certName    = "integration";
diff --git a/modules/private/websites/ludivine/production.nix b/modules/private/websites/ludivine/production.nix

index 3a9895d3a2a166e5d59b37ee83deffeabb04a233..73b63a2d98564d60d68cb61340fab03793ac6a49 100644 (file)
--- a/modules/private/websites/ludivine/production.nix
+++ b/modules/private/websites/ludivine/production.nix
@@ -53,44 +53,41 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/ludivine/production";
-        user = config.services.httpd.Prod.user;
-        group = config.services.httpd.Prod.group;
-        permissions = "0400";
-        text = ''
-          # This file is auto-generated during the composer install
-          parameters:
-              database_host: ${secrets.mysql.host}
-              database_port: ${secrets.mysql.port}
-              database_name: ${secrets.mysql.database}
-              database_user: ${secrets.mysql.user}
-              database_password: ${secrets.mysql.password}
-              database_server_version: ${pkgs.mariadb.mysqlVersion}
-              mailer_transport: smtp
-              mailer_host: 127.0.0.1
-              mailer_user: null
-              mailer_password: null
-              secret: ${secrets.secret}
-              ldap_host: ldap.immae.eu
-              ldap_port: 636
-              ldap_version: 3
-              ldap_ssl: true
-              ldap_tls: false
-              ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
-              ldap_base_dn: 'dc=immae,dc=eu'
-              ldap_search_dn: '${secrets.ldap.dn}'
-              ldap_search_password: '${secrets.ldap.password}'
-              ldap_search_filter: '${secrets.ldap.filter}'
-          leapt_im:
-              binary_path: ${pkgs.imagemagick}/bin
-          assetic:
-              sass: ${pkgs.sass}/bin/sass
-              ruby: ${pkgs.ruby}/bin/ruby
-        '';
-      }
-    ];
+    secrets.keys."websites/ludivine/production" = {
+      user = config.services.httpd.Prod.user;
+      group = config.services.httpd.Prod.group;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_host: ${secrets.mysql.host}
+            database_port: ${secrets.mysql.port}
+            database_name: ${secrets.mysql.database}
+            database_user: ${secrets.mysql.user}
+            database_password: ${secrets.mysql.password}
+            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            mailer_transport: smtp
+            mailer_host: 127.0.0.1
+            mailer_user: null
+            mailer_password: null
+            secret: ${secrets.secret}
+            ldap_host: ldap.immae.eu
+            ldap_port: 636
+            ldap_version: 3
+            ldap_ssl: true
+            ldap_tls: false
+            ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
+            ldap_base_dn: 'dc=immae,dc=eu'
+            ldap_search_dn: '${secrets.ldap.dn}'
+            ldap_search_password: '${secrets.ldap.password}'
+            ldap_search_filter: '${secrets.ldap.filter}'
+        leapt_im:
+            binary_path: ${pkgs.imagemagick}/bin
+        assetic:
+            sass: ${pkgs.sass}/bin/sass
+            ruby: ${pkgs.ruby}/bin/ruby
+      '';
+    };
  
      services.websites.env.production.vhostConfs.ludivine_production = {
        certName     = "ludivine";
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix

index dc98900b036bc6208a9cd400adbd87b630bc60f9..f501eba16199faa563bbd5d68cc4b2a36f962cba 100644 (file)
--- a/modules/private/websites/piedsjaloux/integration.nix
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -52,32 +52,29 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/piedsjaloux/integration";
-        user = config.services.httpd.Inte.user;
-        group = config.services.httpd.Inte.group;
-        permissions = "0400";
-        text = ''
-          # This file is auto-generated during the composer install
-          parameters:
-              database_host: ${secrets.mysql.host}
-              database_port: ${secrets.mysql.port}
-              database_name: ${secrets.mysql.database}
-              database_user: ${secrets.mysql.user}
-              database_password: ${secrets.mysql.password}
-              database_server_version: ${pkgs.mariadb.mysqlVersion}
-              mailer_transport: smtp
-              mailer_host: 127.0.0.1
-              mailer_user: null
-              mailer_password: null
-              secret: ${secrets.secret}
-              pdflatex: "${texlive}/bin/pdflatex"
-          leapt_im:
-              binary_path: ${pkgs.imagemagick}/bin
-        '';
-      }
-    ];
+    secrets.keys."websites/piedsjaloux/integration" = {
+      user = config.services.httpd.Inte.user;
+      group = config.services.httpd.Inte.group;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_host: ${secrets.mysql.host}
+            database_port: ${secrets.mysql.port}
+            database_name: ${secrets.mysql.database}
+            database_user: ${secrets.mysql.user}
+            database_password: ${secrets.mysql.password}
+            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            mailer_transport: smtp
+            mailer_host: 127.0.0.1
+            mailer_user: null
+            mailer_password: null
+            secret: ${secrets.secret}
+            pdflatex: "${texlive}/bin/pdflatex"
+        leapt_im:
+            binary_path: ${pkgs.imagemagick}/bin
+      '';
+    };
  
      services.websites.env.integration.vhostConfs.piedsjaloux_integration = {
        certName     = "integration";
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix

index e12b046fa688331da510a3bd9873b60847047d6d..fed5a0fb40fd76701476c371a096f292857cdb2a 100644 (file)
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -55,32 +55,29 @@ in {
        phpPackage = pkgs.php72;
      };
  
-    secrets.keys = [
-      {
-        dest = "websites/piedsjaloux/production";
-        user = config.services.httpd.Prod.user;
-        group = config.services.httpd.Prod.group;
-        permissions = "0400";
-        text = ''
-          # This file is auto-generated during the composer install
-          parameters:
-              database_host: ${secrets.mysql.host}
-              database_port: ${secrets.mysql.port}
-              database_name: ${secrets.mysql.database}
-              database_user: ${secrets.mysql.user}
-              database_password: ${secrets.mysql.password}
-              database_server_version: ${pkgs.mariadb.mysqlVersion}
-              mailer_transport: smtp
-              mailer_host: 127.0.0.1
-              mailer_user: null
-              mailer_password: null
-              secret: ${secrets.secret}
-              pdflatex: "${texlive}/bin/pdflatex"
-          leapt_im:
-              binary_path: ${pkgs.imagemagick}/bin
-        '';
-      }
-    ];
+    secrets.keys."websites/piedsjaloux/production" = {
+      user = config.services.httpd.Prod.user;
+      group = config.services.httpd.Prod.group;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_host: ${secrets.mysql.host}
+            database_port: ${secrets.mysql.port}
+            database_name: ${secrets.mysql.database}
+            database_user: ${secrets.mysql.user}
+            database_password: ${secrets.mysql.password}
+            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            mailer_transport: smtp
+            mailer_host: 127.0.0.1
+            mailer_user: null
+            mailer_password: null
+            secret: ${secrets.secret}
+            pdflatex: "${texlive}/bin/pdflatex"
+        leapt_im:
+            binary_path: ${pkgs.imagemagick}/bin
+      '';
+    };
  
      services.websites.env.production.vhostConfs.piedsjaloux_production = {
        certName     = "piedsjaloux";
diff --git a/modules/private/websites/richie/production.nix b/modules/private/websites/richie/production.nix

index 2d85175441abbfebff231b0fa6c225d9cc8877db..3efa9f05833eb11d941c7fa1dcce86b5ab936720 100644 (file)
--- a/modules/private/websites/richie/production.nix
+++ b/modules/private/websites/richie/production.nix
@@ -29,8 +29,7 @@ in
      services.duplyBackup.profiles.richie_production.remotes = ["eriomem" "ovh"];
      services.webstats.sites = [ { name = "europe-richie.org"; } ];
  
-    secrets.keys = [{
-      dest = "websites/richie/production";
+    secrets.keys."websites/richie/production" = {
        user = apacheUser;
        group = apacheGroup;
        permissions = "0400";
@@ -48,7 +47,7 @@ in
          $smtp_mailer->Auth('${smtp_mailer.user}', '${smtp_mailer.password}');
          ?>
          '';
-    }];
+    };
      services.websites.webappDirs.richie_production = richieSrc;
      system.activationScripts.richie_production = {
        deps = [ "httpd" ];
diff --git a/modules/private/websites/syden/peertube.nix b/modules/private/websites/syden/peertube.nix

index aa465d711e1cdfe9afaa81f7f1d83b5634ab1210..4036eac720a41ea5d205bd914946e3015f1f05cc 100644 (file)
--- a/modules/private/websites/syden/peertube.nix
+++ b/modules/private/websites/syden/peertube.nix
@@ -23,8 +23,7 @@ in
      };
      users.groups.peertube.gid = config.ids.gids.peertube;
  
-    secrets.keys = [{
-      dest = "websites/syden/peertube";
+    secrets.keys."websites/syden/peertube" = {
        user = "peertube";
        group = "peertube";
        permissions = "0640";
@@ -67,7 +66,7 @@ in
            plugins: '${dataDir}/storage/plugins/'
            client_overrides: '${dataDir}/storage/client-overrides/'
          '';
-    }];
+    };
  
      services.filesWatcher.syden_peertube = {
        restart = true;
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix

index 471858a191fa96109d5d141e3779ae9adc68b4af..fc0aae62f88d7b4597dbaa605ec16bc18914b5e4 100644 (file)
--- a/modules/private/websites/tools/cloud/default.nix
+++ b/modules/private/websites/tools/cloud/default.nix
@@ -73,8 +73,7 @@ in {
        ];
      };
  
-    secrets.keys = [{
-      dest = "webapps/tools-nextcloud";
+    secrets.keys."webapps/tools-nextcloud" = {
        user = "wwwrun";
        group = "wwwrun";
        permissions = "0600";
@@ -133,7 +132,7 @@ in {
            'has_rebuilt_cache' => true,
          );
        '';
-    }];
+    };
      users.users.root.packages = let
        occ = pkgs.writeScriptBin "nextcloud-occ" ''
          #! ${pkgs.stdenv.shell}
diff --git a/modules/private/websites/tools/commento/default.nix b/modules/private/websites/tools/commento/default.nix

index d0e7d2457a7328954784975e8f1765d7bfc5f1d7..c36255b63e487c66b3c7701411df2aa5b7c92f1a 100644 (file)
--- a/modules/private/websites/tools/commento/default.nix
+++ b/modules/private/websites/tools/commento/default.nix
@@ -12,10 +12,9 @@ in
      enable = lib.mkEnableOption "Enable commento website";
    };
    config = lib.mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "commento/env";
-        permission = "0400";
+    secrets.keys = {
+      "commento/env" = {
+        permissions = "0400";
          text = ''
            COMMENTO_ORIGIN=https://commento.immae.eu/
            COMMENTO_PORT=${port}
@@ -29,8 +28,8 @@ in
            COMMENTO_SMTP_PASSWORD=${env.smtp.password}
            COMMENTO_SMTP_FROM_ADDRESS=${env.smtp.email}
          '';
-      }
-    ];
+      };
+    };
  
      services.websites.env.tools.vhostConfs.commento = {
        certName = "eldiron";
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix

index eeac1b5643d97171665c518deecdf83ae6b0d059..9e4056a235b7403a861808717b1273faab11b410 100644 (file)
--- a/modules/private/websites/tools/dav/davical.nix
+++ b/modules/private/websites/tools/dav/davical.nix
@@ -6,8 +6,7 @@ rec {
        install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
        '';
    };
-  keys = [{
-    dest = "webapps/dav-davical";
+  keys."webapps/dav-davical" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -64,7 +63,7 @@ rec {
        $c->do_not_sync_from_ldap = array('admin' => true);
        include('drivers_ldap.php');
      '';
-  }];
+  };
    webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; };
    webRoot = "${webapp}/htdocs";
    apache = rec {
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix

index 663fe88d143596be0eb9be82ccffa9068d8ee572..9119ead35e31e3e9a683c7f9dc1f09661f2479a4 100644 (file)
--- a/modules/private/websites/tools/diaspora/default.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -16,16 +16,14 @@ in {
      };
      users.users.diaspora.extraGroups = [ "keys" ];
  
-    secrets.keys = [
-      {
-        dest = "webapps/diaspora";
+    secrets.keys = {
+      "webapps/diaspora" = {
          isDir = true;
          user = "diaspora";
          group = "diaspora";
          permissions = "0500";
-      }
-      {
-        dest = "webapps/diaspora/diaspora.yml";
+      };
+      "webapps/diaspora/diaspora.yml" = {
          user = "diaspora";
          group = "diaspora";
          permissions = "0400";
@@ -102,9 +100,8 @@ in {
          development:
            environment:
          '';
-      }
-      {
-        dest = "webapps/diaspora/database.yml";
+      };
+      "webapps/diaspora/database.yml" = {
          user = "diaspora";
          group = "diaspora";
          permissions = "0400";
@@ -136,17 +133,16 @@ in {
            <<: *combined
            database: diaspora_integration2
          '';
-      }
-      {
-        dest = "webapps/diaspora/secret_token.rb";
+      };
+      "webapps/diaspora/secret_token.rb" = {
          user = "diaspora";
          group = "diaspora";
          permissions = "0400";
          text = ''
            Diaspora::Application.config.secret_key_base = '${env.secret_token}'
          '';
-      }
-    ];
+      };
+    };
  
      services.diaspora = {
        enable = true;
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix

index 64e411de5c72ac6e00d3c9f0757ae126c5106e3a..d5c65a94d742af82cb9230cebeb812da0b33860e 100644 (file)
--- a/modules/private/websites/tools/ether/default.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -15,19 +15,16 @@ in {
      services.duplyBackup.profiles.etherpad-lite = {
        rootDir = "/var/lib/private/etherpad-lite";
      };
-    secrets.keys = [
-      {
-        dest = "webapps/tools-etherpad-apikey";
+    secrets.keys = {
+      "webapps/tools-etherpad-apikey" = {
          permissions = "0400";
          text = env.api_key;
-      }
-      {
-        dest = "webapps/tools-etherpad-sessionkey";
+      };
+      "webapps/tools-etherpad-sessionkey" = {
          permissions = "0400";
          text = env.session_key;
-      }
-      {
-        dest = "webapps/tools-etherpad";
+      };
+      "webapps/tools-etherpad" = {
          permissions = "0400";
          text = ''
            {
@@ -152,8 +149,8 @@ in {
              "logconfig" : { "appenders": [ { "type": "console" } ] }
            }
          '';
-      }
-    ];
+      };
+    };
      services.etherpad-lite = {
        enable = true;
        package = pkgs.webapps.etherpad-lite.withModules (p: [
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix

index e6a8da78314d1c3c7d6d98411fb29e0452246b28..033a651b205264c12ce61f198a6ebdd533c853e0 100644 (file)
--- a/modules/private/websites/tools/git/mantisbt.nix
+++ b/modules/private/websites/tools/git/mantisbt.nix
@@ -6,8 +6,7 @@ rec {
        install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt
      '';
    };
-  keys = [{
-    dest = "webapps/tools-mantisbt";
+  keys."webapps/tools-mantisbt" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -45,7 +44,7 @@ rec {
        $g_ldap_realname_field = 'cn';
        $g_ldap_organization = '${env.ldap.filter}';
      '';
-  }];
+  };
    webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]);
    apache = rec {
      user = "wwwrun";
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix

index 7d8e733918237c7f5e8b63489d9076343ef861ec..92de28ee5a28bc99e907b38ca4ac85533adcc716 100644 (file)
--- a/modules/private/websites/tools/mail/roundcubemail.nix
+++ b/modules/private/websites/tools/mail/roundcubemail.nix
@@ -9,8 +9,7 @@ rec {
        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
      '';
    };
-  keys = [{
-    dest = "webapps/tools-roundcube";
+  keys."webapps/tools-roundcube" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -74,7 +73,7 @@ rec {
          $config['temp_dir'] = '${varDir}/cache';
          $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
      '';
-  }];
+  };
    webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]);
    apache = rec {
      user = "wwwrun";
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix

index cea8710451db0e1ac6ccd65a4d2f7b394f327221..87e8d726aa90ebd8ab7d4ff408c73376b05c4945 100644 (file)
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -13,8 +13,7 @@ in {
      services.duplyBackup.profiles.mastodon = {
        rootDir = mcfg.dataDir;
      };
-    secrets.keys = [{
-      dest = "webapps/tools-mastodon";
+    secrets.keys."webapps/tools-mastodon" = {
        user = "mastodon";
        group = "mastodon";
        permissions = "0400";
@@ -59,7 +58,7 @@ in {
          LDAP_UID="uid"
          LDAP_SEARCH_FILTER="${env.ldap.filter}"
        '';
-    }];
+    };
      services.mastodon = {
        enable = true;
        configFile = config.secrets.fullPaths."webapps/tools-mastodon";
diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix

index 6d6a5a4deb0fab86dda0415de27ed14ca638ec15..f6cba4a611e6ff7db7080b7f852106fa5b2c89b5 100644 (file)
--- a/modules/private/websites/tools/mgoblin/default.nix
+++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -12,8 +12,7 @@ in {
      services.duplyBackup.profiles.mgoblin = {
        rootDir = mcfg.dataDir;
      };
-    secrets.keys = [{
-      dest = "webapps/tools-mediagoblin";
+    secrets.keys."webapps/tools-mediagoblin" = {
        user = "mediagoblin";
        group = "mediagoblin";
        permissions = "0400";
@@ -77,7 +76,7 @@ in {
            [[mediagoblin.media_types.image]]
            [[mediagoblin.media_types.video]]
          '';
-    }];
+    };
  
      users.users.mediagoblin.extraGroups = [ "keys" ];
  
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix

index 7dcc9985124551cd1c08b926c7d2935cbf9a7572..daeeb1fef898435b3936ca7220e688abae00be65 100644 (file)
--- a/modules/private/websites/tools/peertube/default.nix
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -18,8 +18,7 @@ in {
      };
      users.users.peertube.extraGroups = [ "keys" ];
  
-    secrets.keys = [{
-      dest = "webapps/tools-peertube";
+    secrets.keys."webapps/tools-peertube" = {
        user = "peertube";
        group = "peertube";
        permissions = "0640";
@@ -62,7 +61,7 @@ in {
            plugins: '${pcfg.dataDir}/storage/plugins/'
            client_overrides: '${pcfg.dataDir}/storage/client-overrides/'
          '';
-    }];
+    };
  
      services.websites.env.tools.modules = [
        "headers" "proxy" "proxy_http" "proxy_wstunnel"
diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix

index 5afd639dfb7fed82c776a016574be4896c295c9e..5715ff08318a9c2b289d1e83c8470b65b7a3dcb8 100644 (file)
--- a/modules/private/websites/tools/performance/default.nix
+++ b/modules/private/websites/tools/performance/default.nix
@@ -11,9 +11,8 @@ in
    };
  
    config = lib.mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "status_engine_ui";
+    secrets.keys = {
+      status_engine_ui = {
          permissions = "0400";
          user = "wwwrun";
          group = "wwwrun";
@@ -44,8 +43,8 @@ in
            display_perfdata: 1
            perfdata_backend: mysql
          '';
-      }
-    ];
+      };
+    };
  
      services.websites.env.tools.modules = [ "proxy_fcgi" ];
  
diff --git a/modules/private/websites/tools/stats/default.nix b/modules/private/websites/tools/stats/default.nix

index 5f184bcc40b971c79f9574c81628cbaaf22c6ffd..71e31a3c4abea964695471c5e2aa9b585b965b82 100644 (file)
--- a/modules/private/websites/tools/stats/default.nix
+++ b/modules/private/websites/tools/stats/default.nix
@@ -6,9 +6,8 @@ in
  {
    options.myServices.websites.tools.stats.enable = lib.mkEnableOption "Enable stats site";
    config = lib.mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "umami/env";
+    secrets.keys = {
+      "uami/env" = {
          permission = "0400";
          text = ''
            PORT=${toString myCfg.listenPort}
@@ -16,8 +15,8 @@ in
            DATABASE_URL=postgresql://${myCfg.postgresql.user}:${myCfg.postgresql.password}@localhost:${myCfg.postgresql.port}/${myCfg.postgresql.database}?sslmode=disable&host=${myCfg.postgresql.socket}
            HASH_SALT=${myCfg.hashSalt}
          '';
-      }
-    ];
+      };
+    };
  
      services.websites.env.tools.vhostConfs.stats = {
        certName = "eldiron";
diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix

index 4660251a45a9f0465702ca3e397d4130ffc0aac7..9b3f0cfa12d6e34b093d59ab50919436c582a887 100644 (file)
--- a/modules/private/websites/tools/tools/csp_reports.nix
+++ b/modules/private/websites/tools/tools/csp_reports.nix
@@ -1,12 +1,11 @@
  { env }:
  rec {
-  keys = [{
-    dest = "webapps/tools-csp-reports.conf";
+  keys."webapps/tools-csp-reports.conf" = {
      user = "wwwrun";
      group = "wwwrun";
      permissions = "0400";
      text = with env.postgresql; ''
        env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}"
      '';
-  }];
+  };
  }
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix

index ada62537fb04021ef6e5ac759bd7622e0fa00b43..1f499fbb76abd2b9e2cb08e615bbd258b7d31f99 100644 (file)
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -83,14 +83,14 @@ in {
    config = lib.mkIf cfg.enable {
      secrets.keys =
        kanboard.keys
-      ++ ldap.keys
-      ++ shaarli.keys
-      ++ ttrss.keys
-      ++ wallabag.keys
-      ++ yourls.keys
-      ++ dmarc-reports.keys
-      ++ csp-reports.keys
-      ++ webhooks.keys;
+      // ldap.keys
+      // shaarli.keys
+      // ttrss.keys
+      // wallabag.keys
+      // yourls.keys
+      // dmarc-reports.keys
+      // csp-reports.keys
+      // webhooks.keys;
  
      services.duplyBackup.profiles = {
        dokuwiki = dokuwiki.backups;
diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix

index 5fdf0b62ad09394d19f3920a4137497d66d1d9fb..89da246167944a5cc842380bbc8935fdbdac7e33 100644 (file)
--- a/modules/private/websites/tools/tools/dmarc_reports.nix
+++ b/modules/private/websites/tools/tools/dmarc_reports.nix
@@ -1,7 +1,6 @@
  { env, config }:
  rec {
-  keys = [{
-    dest = "webapps/tools-dmarc-reports.php";
+  keys."webapps/tools-dmarc-reports.php" = {
      user = "wwwrun";
      group = "wwwrun";
      permissions = "0400";
@@ -15,7 +14,7 @@ rec {
        $anonymous_key = "${env.anonymous_key}";
        ?>
      '';
-  }];
+  };
    webRoot = ./dmarc_reports;
    apache = rec {
      user = "wwwrun";
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix

index 1a7049930c2f634c570ff38985410f77a29fbf68..b2e7b658406c822e2b9e098f07c228c345e5db5f 100644 (file)
--- a/modules/private/websites/tools/tools/kanboard.nix
+++ b/modules/private/websites/tools/tools/kanboard.nix
@@ -13,8 +13,7 @@ rec {
        install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
      '';
    };
-  keys = [{
-    dest = "webapps/tools-kanboard";
+  keys."webapps/tools-kanboard" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -41,7 +40,7 @@ rec {
        define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}');
        ?>
        '';
-  }];
+  };
    webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; };
    apache = rec {
      user = "wwwrun";
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix

index cb90edc5f54f40bcd010eff6fef1f4617384e575..14920f4e32191d1835c690378cd7cadabdf900b1 100644 (file)
--- a/modules/private/websites/tools/tools/ldap.nix
+++ b/modules/private/websites/tools/tools/ldap.nix
@@ -6,8 +6,7 @@ rec {
        install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin
        '';
    };
-  keys = [{
-    dest = "webapps/tools-ldap";
+  keys."webapps/tools-ldap" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -31,7 +30,7 @@ rec {
        $servers->setValue('login','attr','uid');
        $servers->setValue('login','fallback_dn',true);
        '';
-  }];
+  };
    webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
    apache = rec {
      user = "wwwrun";
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix

index 80c6a897923cb2745117ef4d1dcd9febbb17b382..b7126cc018441d1f47291c7ff30988ec60d7e76f 100644 (file)
--- a/modules/private/websites/tools/tools/shaarli.nix
+++ b/modules/private/websites/tools/tools/shaarli.nix
@@ -38,8 +38,7 @@ in rec {
        </Directory>
        '';
    };
-  keys = [{
-    dest = "webapps/tools-shaarli";
+  keys."webapps/tools-shaarli" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -50,7 +49,7 @@ in rec {
        SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
        SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.filter}"
        '';
-  }];
+  };
    phpFpm = rec {
      serviceDeps = [ "openldap.service" ];
      basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix

index eb1d415f73d399f8927702b62a04517301b82631..f6abae9afe7a260640dff110e51613746a529e94 100644 (file)
--- a/modules/private/websites/tools/tools/ttrss.nix
+++ b/modules/private/websites/tools/tools/ttrss.nix
@@ -19,8 +19,7 @@ rec {
        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
      '';
    };
-  keys = [{
-    dest = "webapps/tools-ttrss";
+  keys."webapps/tools-ttrss" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -87,7 +86,7 @@ rec {
          define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
          define('LDAP_AUTH_DEBUG', FALSE);
        '';
-  }];
+  };
    webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [
      p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua
      (p.af_feedmod.override { patched = true; })
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix

index 1a604c7e766f1777acb12e2375937f6819f8b60c..b6ad15136447823333b73e42bbc70555adcc588a 100644 (file)
--- a/modules/private/websites/tools/tools/wallabag.nix
+++ b/modules/private/websites/tools/tools/wallabag.nix
@@ -5,8 +5,7 @@ rec {
      remotes = [ "eriomem" "ovh" ];
    };
    varDir = "/var/lib/wallabag";
-  keys = [{
-    dest = "webapps/tools-wallabag";
+  keys."webapps/tools-wallabag" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -68,7 +67,7 @@ rec {
                class:     Swift_SendmailTransport
                arguments: ['/run/wrappers/bin/sendmail -bs']
        '';
-  }];
+  };
    webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; };
    activationScript = ''
      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix

index 8ffb81be5f9cc471eaa3617621c71e2015bd7e0d..785e22bbff2d4010bb1be6a3e9f3b39b377e6db4 100644 (file)
--- a/modules/private/websites/tools/tools/webhooks.nix
+++ b/modules/private/websites/tools/tools/webhooks.nix
@@ -1,16 +1,17 @@
  { lib, env }:
  {
-  keys = lib.attrsets.mapAttrsToList (k: v: {
-    dest = "webapps/webhooks/${k}.php";
+  keys = lib.attrsets.mapAttrs' (k: v:
+    lib.nameValuePair "webapps/webhooks/${k}.php" {
      user = "wwwrun";
      group = "wwwrun";
      permissions = "0400";
      text = v;
-  }) env ++ [{
-    dest = "webapps/webhooks";
-    isDir = true;
-    user = "wwwrun";
-    group = "wwwrun";
-    permissions = "0500";
-  }];
+  }) env // {
+    "webapps/webhooks" = {
+      isDir = true;
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0500";
+    };
+  };
  }
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix

index 0f977f2842dac4b61a29f95d8baf6bbaba5379a5..01ef548d6a4e1ab5efba7389c146c01c2222d15f 100644 (file)
--- a/modules/private/websites/tools/tools/yourls.nix
+++ b/modules/private/websites/tools/tools/yourls.nix
@@ -6,8 +6,7 @@ rec {
        install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
      '';
    };
-  keys = [{
-    dest = "webapps/tools-yourls";
+  keys."webapps/tools-yourls" = {
      user = apache.user;
      group = apache.group;
      permissions = "0400";
@@ -39,7 +38,7 @@ rec {
  
        define( 'LDAPAUTH_USERCACHE_TYPE', 0);
      '';
-  }];
+  };
    webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]);
    apache = rec {
      user = "wwwrun";
diff --git a/modules/zrepl.nix b/modules/zrepl.nix

index cb74082f8966472791a394e393ca22b76ec707f1..5bcc17b638bd31c29dbfe4d30a35f62964f8a68e 100644 (file)
--- a/modules/zrepl.nix
+++ b/modules/zrepl.nix
@@ -16,15 +16,14 @@ in
    };
  
    config = lib.mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "zrepl/zrepl.yml";
+    secrets.keys = {
+      "zrepl/zrepl.yml" = {
          permissions = "0400";
          text = cfg.config;
          user = config.systemd.services.zrepl.serviceConfig.User or "root";
          group = config.systemd.services.zrepl.serviceConfig.Group or "root";
-      }
-    ];
+      };
+    };
      services.filesWatcher.zrepl = {
        restart = true;
        paths = [ config.secrets.fullPaths."zrepl/zrepl.yml" ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>
	Sat, 16 Oct 2021 15:40:07 +0000 (17:40 +0200)
committer	Ismaël Bouya <ismael.bouya@normalesup.org>
	Sat, 16 Oct 2021 18:20:45 +0000 (20:20 +0200)
flakes/private/openarc/flake.lock		patch \| blob \| blame \| history
flakes/private/opendmarc/flake.lock		patch \| blob \| blame \| history
flakes/private/opendmarc/flake.nix		patch \| blob \| blame \| history
flakes/secrets/flake.nix		patch \| blob \| blame \| history
modules/duply_backup/default.nix		patch \| blob \| blame \| history
modules/naemon/default.nix		patch \| blob \| blame \| history
modules/private/buildbot/default.nix		patch \| blob \| blame \| history
modules/private/databases/mariadb.nix		patch \| blob \| blame \| history
modules/private/databases/mariadb_replication.nix		patch \| blob \| blame \| history
modules/private/databases/openldap/default.nix		patch \| blob \| blame \| history
modules/private/databases/openldap_replication.nix		patch \| blob \| blame \| history
modules/private/databases/postgresql.nix		patch \| blob \| blame \| history
modules/private/databases/postgresql_replication.nix		patch \| blob \| blame \| history
modules/private/databases/redis.nix		patch \| blob \| blame \| history
modules/private/databases/redis_replication.nix		patch \| blob \| blame \| history
modules/private/dns.nix		patch \| blob \| blame \| history
modules/private/ejabberd/default.nix		patch \| blob \| blame \| history
modules/private/ftp.nix		patch \| blob \| blame \| history
modules/private/gitolite/default.nix		patch \| blob \| blame \| history
modules/private/mail/dovecot.nix		patch \| blob \| blame \| history
modules/private/mail/milters.nix		patch \| blob \| blame \| history
modules/private/mail/opensmtpd.nix		patch \| blob \| blame \| history
modules/private/mail/postfix.nix		patch \| blob \| blame \| history
modules/private/mail/relay.nix		patch \| blob \| blame \| history
modules/private/mail/sympa.nix		patch \| blob \| blame \| history
modules/private/monitoring/default.nix		patch \| blob \| blame \| history
modules/private/monitoring/status.nix		patch \| blob \| blame \| history
modules/private/monitoring/status_engine.nix		patch \| blob \| blame \| history
modules/private/mpd.nix		patch \| blob \| blame \| history
modules/private/ssh/default.nix		patch \| blob \| blame \| history
modules/private/system/backup-2.nix		patch \| blob \| blame \| history
modules/private/system/eldiron.nix		patch \| blob \| blame \| history
modules/private/system/monitoring-1.nix		patch \| blob \| blame \| history
modules/private/system/quatresaisons.nix		patch \| blob \| blame \| history
modules/private/system/quatresaisons/databases.nix		patch \| blob \| blame \| history
modules/private/tasks/default.nix		patch \| blob \| blame \| history
modules/private/vpn/default.nix		patch \| blob \| blame \| history
modules/private/websites/chloe/integration.nix		patch \| blob \| blame \| history
modules/private/websites/chloe/production.nix		patch \| blob \| blame \| history
modules/private/websites/connexionswing/integration.nix		patch \| blob \| blame \| history
modules/private/websites/connexionswing/production.nix		patch \| blob \| blame \| history
modules/private/websites/default.nix		patch \| blob \| blame \| history
modules/private/websites/florian/app.nix		patch \| blob \| blame \| history
modules/private/websites/immae/temp.nix		patch \| blob \| blame \| history
modules/private/websites/isabelle/aten_integration.nix		patch \| blob \| blame \| history
modules/private/websites/isabelle/aten_production.nix		patch \| blob \| blame \| history
modules/private/websites/isabelle/iridologie.nix		patch \| blob \| blame \| history
modules/private/websites/jerome/naturaloutil.nix		patch \| blob \| blame \| history
modules/private/websites/ludivine/integration.nix		patch \| blob \| blame \| history
modules/private/websites/ludivine/production.nix		patch \| blob \| blame \| history
modules/private/websites/piedsjaloux/integration.nix		patch \| blob \| blame \| history
modules/private/websites/piedsjaloux/production.nix		patch \| blob \| blame \| history
modules/private/websites/richie/production.nix		patch \| blob \| blame \| history
modules/private/websites/syden/peertube.nix		patch \| blob \| blame \| history
modules/private/websites/tools/cloud/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/commento/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/dav/davical.nix		patch \| blob \| blame \| history
modules/private/websites/tools/diaspora/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/ether/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/git/mantisbt.nix		patch \| blob \| blame \| history
modules/private/websites/tools/mail/roundcubemail.nix		patch \| blob \| blame \| history
modules/private/websites/tools/mastodon/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/mgoblin/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/peertube/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/performance/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/stats/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/csp_reports.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/default.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/dmarc_reports.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/kanboard.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/ldap.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/shaarli.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/ttrss.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/wallabag.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/webhooks.nix		patch \| blob \| blame \| history
modules/private/websites/tools/tools/yourls.nix		patch \| blob \| blame \| history
modules/zrepl.nix		patch \| blob \| blame \| history