Move secrets module outside of nixops

[perso/Immae/Config/Nix.git] / nixops / modules / databases / openldap.nix

diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 7ed4bc090782dcdc4298d362c11ae8891d6bdc2f..542e209413a82c43158fc7cc7d75b6548933616a 100644 (file)
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
       database        hdb
       suffix          "${myconfig.env.ldap.base}"
       rootdn          "${myconfig.env.ldap.root_dn}"
-      include         /run/keys/ldap/ldap-password
+      include         /var/secrets/ldap/password
       directory       /var/lib/openldap
       overlay         memberof
 
@@ -41,7 +41,7 @@ let
       #TLSCipherSuite        DEFAULT
 
       sasl-host kerberos.immae.eu
-      include /run/keys/ldap/ldap-access
+      include /var/secrets/ldap/access
       '';
 in {
   options.services.myDatabases = {
@@ -56,22 +56,22 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    deployment.keys = {
-      ldap-password = {
-        destDir = "/run/keys/ldap";
+    secrets.keys = [
+       {
+        dest = "ldap/password";
         permissions = "0400";
         user = "openldap";
         group = "openldap";
         text = "rootpw          ${myconfig.env.ldap.root_pw}";
-      };
-      ldap-access = {
-        destDir = "/run/keys/ldap";
+      }
+      {
+        dest = "ldap/access ";
         permissions = "0400";
         user = "openldap";
         group = "openldap";
         text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
-      };
-    };
+      }
+    ];
     users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];