From 7178c2b1009694c8a750dcd376a36c3d4bf90cf4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Thu, 25 Apr 2019 02:18:11 +0200
Subject: [PATCH 1/1] Move databases config to new secrets

---
 nixops/modules/databases/mysql.nix      | 22 +++++++++++-----------
 nixops/modules/databases/openldap.nix   | 20 ++++++++++----------
 nixops/modules/databases/postgresql.nix | 24 ++++++++++++------------
 3 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 95de972..a9ca8d3 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -52,9 +52,9 @@ in {
       '';
     };
 
-    deployment.keys = {
-      mysqldump = {
-        destDir = "/run/keys/mysql";
+    mySecrets.keys = [
+      {
+        dest = "mysql/mysqldump";
         permissions = "0400";
         user = "root";
         group = "root";
@@ -63,9 +63,9 @@ in {
           user = root
           password = ${myconfig.env.databases.mysql.systemUsers.root}
         '';
-      };
-      mysql-pam = {
-        destDir = "/run/keys/mysql";
+      }
+      {
+        dest = "mysql/pam";
         permissions = "0400";
         user = "mysql";
         group = "mysql";
@@ -77,14 +77,14 @@ in {
           pam_filter ${filter}
           ssl start_tls
           '';
-      };
-    };
+      }
+    ];
 
     services.cron = {
       enable = true;
       systemCronJobs = [
         ''
-          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
+          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
         ''
       ];
     };
@@ -96,8 +96,8 @@ in {
         name = "mysql";
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=/run/keys/mysql/mysql-pam
-          account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+          auth    required ${pam_ldap} config=/var/secrets/mysql/pam
+          account required ${pam_ldap} config=/var/secrets/mysql/pam
           '';
       }
     ];
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 7ed4bc0..a447ccc 100644
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
       database        hdb
       suffix          "${myconfig.env.ldap.base}"
       rootdn          "${myconfig.env.ldap.root_dn}"
-      include         /run/keys/ldap/ldap-password
+      include         /var/secrets/ldap/password
       directory       /var/lib/openldap
       overlay         memberof
 
@@ -41,7 +41,7 @@ let
       #TLSCipherSuite        DEFAULT
 
       sasl-host kerberos.immae.eu
-      include /run/keys/ldap/ldap-access
+      include /var/secrets/ldap/access
       '';
 in {
   options.services.myDatabases = {
@@ -56,22 +56,22 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    deployment.keys = {
-      ldap-password = {
-        destDir = "/run/keys/ldap";
+    mySecrets.keys = [
+       {
+        dest = "ldap/password";
         permissions = "0400";
         user = "openldap";
         group = "openldap";
         text = "rootpw          ${myconfig.env.ldap.root_pw}";
-      };
-      ldap-access = {
-        destDir = "/run/keys/ldap";
+      }
+      {
+        dest = "ldap/access ";
         permissions = "0400";
         user = "openldap";
         group = "openldap";
         text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
-      };
-    };
+      }
+    ];
     users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index 7e2f4e6..62e9e34 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -77,9 +77,9 @@ in {
       '';
     };
 
-    deployment.keys = {
-      postgresql-pam = {
-        destDir = "/run/keys/postgresql";
+    mySecrets.keys = [
+      {
+        dest = "postgresql/pam";
         permissions = "0400";
         group = "postgres";
         user = "postgres";
@@ -91,9 +91,9 @@ in {
           pam_filter ${filter}
           ssl start_tls
         '';
-      };
-      postgresql-pam_replication = {
-        destDir = "/run/keys/postgresql";
+      }
+      {
+        dest = "postgresql/pam_replication";
         permissions = "0400";
         group = "postgres";
         user = "postgres";
@@ -105,8 +105,8 @@ in {
           pam_login_attribute cn
           ssl start_tls
         '';
-      };
-    };
+      }
+    ];
 
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
@@ -114,15 +114,15 @@ in {
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
-          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
-          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
           '';
       }
     ];
-- 
2.41.0