Move secrets module outside of nixops

[perso/Immae/Config/Nix.git] / nixops / modules / databases / openldap.nix

diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 165a02908f6288544aff053171104f3845b5bb0c..542e209413a82c43158fc7cc7d75b6548933616a 100644 (file)
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
       database        hdb
       suffix          "${myconfig.env.ldap.base}"
       rootdn          "${myconfig.env.ldap.root_dn}"
-      rootpw          ${myconfig.env.ldap.root_pw}
+      include         /var/secrets/ldap/password
       directory       /var/lib/openldap
       overlay         memberof
 
@@ -41,7 +41,7 @@ let
       #TLSCipherSuite        DEFAULT
 
       sasl-host kerberos.immae.eu
-      ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+      include /var/secrets/ldap/access
       '';
 in {
   options.services.myDatabases = {
@@ -56,6 +56,23 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    secrets.keys = [
+       {
+        dest = "ldap/password";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = "rootpw          ${myconfig.env.ldap.root_pw}";
+      }
+      {
+        dest = "ldap/access ";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+      }
+    ];
+    users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
     services.cron = {