-{ privateFiles }:
{ config, pkgs, lib, ... }:
let
serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
chmod go-rwx /var/lib/nixos/sponsored_users
echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
(${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+ -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
objectClass: inetOrgPerson
cn: $1
userdel -r "$1"
sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
"uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
echo "deleted"
exit 0
if [ "$1" = "$mygroup" ]; then
log "resets web password"
${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
-S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
else
IFS=",";
if [ "$u" = "$1" ]; then
log "resets web password of $1"
${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
-S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
exit 0
fi
targetHost = config.hostEnv.ips.main.ip4;
substituteOnDestination = true;
};
+ # ssh-keyscan quatresaison | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1yz8u6xvh2fltvyp96ep8crce3qx4tuceyhun6pwddfe0uvcrkarscxl7e7" ];
programs.ssh.package = pkgs.openssh.overrideAttrs(old: {
PATH_PASSWD_PROG = "/run/wrappers/bin/passwd";
imports = builtins.attrValues (import ../..) ++
[ ./quatresaisons/nextcloud.nix ./quatresaisons/databases.nix ];
- myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ myEnv = import ../../../nixops/secrets/environment.nix;
fileSystems = {
"/" = { device = "/dev/disk/by-uuid/865931b4-c5cc-439f-8e42-8072c7a30634"; fsType = "ext4"; };
deps = [ "secrets" "users" ];
text =
let
- com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+ com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
in ''
# Add users
- ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+ ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
# Remove obsolete users
${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
'';
};
- secrets.keys = [
- {
- dest = "ldap/sync_password";
+ secrets.keys = {
+ "ldap/sync_password" = {
permissions = "0400";
text = serverSpecificConfig.ldap_sync_password;
- }
- {
- dest = "ldap/ldaptree.ldif";
+ };
+ "ldap/ldaptree.ldif" = {
permissions = "0400";
text = serverSpecificConfig.ldap_service_users
+ (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
sn: ${n}
uid: ${n}
'') normalUsers));
- }
- ];
+ };
+ };
+ myServices.monitoring.enable = true;
myServices.certificates.enable = true;
users.mutableUsers = true;
system.stateVersion = "21.03";
{
commands = [
{ command = "${sponsoredUser}/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
+ { command = "/run/current-system/sw/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
];
users = builtins.attrNames normalUsers;
runAs = "root";