Move secrets module outside of nixops

diff --git a/modules/default.nix b/modules/default.nix
index fa6714403a1bdafb1fc51e305da21a92e16de971..4445c55ce8a44f7993cf3012bc6f3526c75178f1 100644 (file)
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1,6 @@
 {
   myids = ./myids.nix;
+  secrets = ./secrets.nix;
 
   mediagoblin = ./webapps/mediagoblin.nix;
   peertube = ./webapps/peertube.nix;

diff --git a/modules/myids.nix b/modules/myids.nix
index bd6caf31e272d0eb7dcaf9a07587a3bf3fcf6190..8f744259b960d93c9b48de1d9b43cd6ec6663f25 100644 (file)
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -1,12 +1,15 @@
 { ... }:
 {
+  # Check that there is no clash with nixos/modules/misc/ids.nix
   config = {
     ids.uids = {
       peertube = 394;
+      nullmailer = 396;
       mediagoblin = 397;
     };
     ids.gids = {
       peertube = 394;
+      nullmailer = 396;
       mediagoblin = 397;
     };
   };

diff --git a/nixops/modules/secrets.nix b/modules/secrets.nix
similarity index 64%
rename from nixops/modules/secrets.nix
rename to modules/secrets.nix
index 85000882f776f588c5048aa0d84f999b04248584..b282e56e207d17f12b2ef46bfc6da5321d909eb7 100644 (file)
--- a/nixops/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -1,14 +1,20 @@
-{ lib, pkgs, config, myconfig, mylibs, ... }:
+{ lib, pkgs, config, ... }:
 {
-  options.mySecrets = {
+  options.secrets = {
     keys = lib.mkOption {
       type = lib.types.listOf lib.types.unspecified;
-      default = {};
+      default = [];
       description = "Keys to upload to server";
     };
+    location = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/secrets";
+      description = "Location where to put the keys";
+    };
   };
   config = let
-    keys = config.mySecrets.keys;
+    location = config.secrets.location;
+    keys = config.secrets.keys;
     empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
     dumpKey = v: ''
         mkdir -p secrets/$(dirname ${v.dest})
@@ -25,19 +31,19 @@
       tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
       done
       '';
-  in {
+  in lib.mkIf (builtins.length keys > 0) {
     system.activationScripts.secrets = {
       deps = [ "users" "wrappers" ];
       text = ''
-        install -m0750 -o root -g keys -d /var/secrets
+        install -m0750 -o root -g keys -d ${location}
         if [ -f /run/keys/secrets.tar ]; then
-          if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
+          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
             echo "rebuilding secrets"
-            rm -rf /var/secrets
-            install -m0750 -o root -g keys -d /var/secrets
-            ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
-            sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
-            find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+            rm -rf ${location}
+            install -m0750 -o root -g keys -d ${location}
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
           fi
         fi
         '';

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 71615fae271447392367e3fad43a38298d9e4bf5..7d97377e8746c59b53499814e301dd55ae863f6d 100644 (file)
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -45,7 +45,6 @@
       ./modules/irc.nix
       ./modules/buildbot
       ./modules/dns.nix
-      ./modules/secrets.nix
     ] ++ (builtins.attrValues (import ../modules));
     services.myGitolite.enable = true;
     services.myDatabases.enable = true;

diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix
index 7632602b506e08933739552931410588a3c0da17..5cf833b8e2a41bf8ae948accd89c55d4e54362c7 100644 (file)
--- a/nixops/modules/buildbot/default.nix
+++ b/nixops/modules/buildbot/default.nix
@@ -106,7 +106,7 @@ in
       '';
     }) myconfig.env.buildbot.projects;
 
-    mySecrets.keys = (
+    secrets.keys = (
       lib.lists.flatten (
         lib.attrsets.mapAttrsToList (k: project:
           lib.attrsets.mapAttrsToList (k: v:

diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 2d56155681c26c13631a41cf4a2e31454c77e5cb..23b8b909b66ead7be53895b5a01765bc4f9b5903 100644 (file)
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -44,7 +44,7 @@ in {
       '';
     };
 
-    mySecrets.keys = [
+    secrets.keys = [
       {
         dest = "mysql/mysqldump";
         permissions = "0400";

diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index a447ccc8484d1a13ef40f5c3d5b3632d3634b001..542e209413a82c43158fc7cc7d75b6548933616a 100644 (file)
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -56,7 +56,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = [
+    secrets.keys = [
        {
         dest = "ldap/password";
         permissions = "0400";

diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index b113e9fd8a6967e986bc8e4337ec201ac7f649d1..3a58c48c2716f9514a1fe1977f8fab06fecf46db 100644 (file)
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -69,7 +69,7 @@ in {
       '';
     };
 
-    mySecrets.keys = [
+    secrets.keys = [
       {
         dest = "postgresql/pam";
         permissions = "0400";

diff --git a/nixops/modules/ftp.nix b/nixops/modules/ftp.nix
index 541e1197ab6c54b167366617a56396db218502f2..871e9efad87fa0848997ee277cd576f1d9002fae 100644 (file)
--- a/nixops/modules/ftp.nix
+++ b/nixops/modules/ftp.nix
@@ -43,7 +43,7 @@
       install -m 0755 -o ftp -g ftp -d /var/lib/ftp
       '';
 
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "pure-ftpd-ldap";
       permissions = "0400";
       user = "ftp";

diff --git a/nixops/modules/mail.nix b/nixops/modules/mail.nix
index 6ec9165305206b4db499ed97ef941f4b90faba16..993e5f1de65167c4865111e175f2c80e25fd7722 100644 (file)
--- a/nixops/modules/mail.nix
+++ b/nixops/modules/mail.nix
@@ -1,7 +1,5 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 {
-  config.ids.uids.nullmailer = myconfig.env.users.nullmailer.uid;
-  config.ids.gids.nullmailer = myconfig.env.users.nullmailer.gid;
   config.users.users.nullmailer.uid = config.ids.uids.nullmailer;
   config.users.groups.nullmailer.gid = config.ids.gids.nullmailer;
 

diff --git a/nixops/modules/mpd.nix b/nixops/modules/mpd.nix
index 7c896ca92ed2eacfcb6160e33cd87617aa06b978..83c225b165e68bff34c47869e76c3ed5b4b77146 100644 (file)
--- a/nixops/modules/mpd.nix
+++ b/nixops/modules/mpd.nix
@@ -1,7 +1,7 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 {
   config = {
-    mySecrets.keys = [
+    secrets.keys = [
       {
         dest = "mpd";
         permissions = "0400";

diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index 4dc0d65501cb236c39ae306af931c1758abc0751..e8d606348bd41c41bf07c544ce730d3deba1d3ef 100644 (file)
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,7 +8,7 @@
       AuthorizedKeysCommandUser nobody
       '';
 
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "ssh-ldap";
       user = "nobody";
       group = "nogroup";

diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 1f5ddd2b2ad014ccac71cfe3514b95bbd920c206..01d032da1d9f22c3d314344088a384f9f79bb041 100644 (file)
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -86,7 +86,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "webapps/tools-taskwarrior-web";
       user = "wwwrun";
       group = "wwwrun";

diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix
index 6f58d3cab8b5dbcb2523dea287c4aa4395502680..f6efe01acdfe5b31e078ec5b9995c2f806dffc66 100644 (file)
--- a/nixops/modules/websites/aten/default.nix
+++ b/nixops/modules/websites/aten/default.nix
@@ -25,7 +25,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
-      mySecrets.keys = aten_prod.keys;
+      secrets.keys = aten_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -59,7 +59,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = aten_dev.keys;
+      secrets.keys = aten_dev.keys;
       security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null;
       services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps;

diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix
index 33ced2ed7b3bf0f5b0f3876b3cb4314c6ccea7ab..0ea92138a74a5fdb8e6547b13414a7fc67044a7d 100644 (file)
--- a/nixops/modules/websites/chloe/default.nix
+++ b/nixops/modules/websites/chloe/default.nix
@@ -25,7 +25,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
-      mySecrets.keys = chloe_prod.keys;
+      secrets.keys = chloe_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -60,7 +60,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = chloe_dev.keys;
+      secrets.keys = chloe_dev.keys;
       security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null;
       services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps;
       services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool;

diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix
index c0036d8abcb9759d632ad37091490d86b856f2c2..2966cb8afd4f0d286ab1450e7274019f563695e7 100644 (file)
--- a/nixops/modules/websites/connexionswing/default.nix
+++ b/nixops/modules/websites/connexionswing/default.nix
@@ -25,7 +25,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
-      mySecrets.keys = connexionswing_prod.keys;
+      secrets.keys = connexionswing_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -61,7 +61,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = connexionswing_dev.keys;
+      secrets.keys = connexionswing_dev.keys;
       security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null;
       security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null;
       services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart;

diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 555e780661ab14f99dc814c47bd28b0b341af964..ceef1e187412f96506238430ba3b31636b9afe5a 100644 (file)
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -228,7 +228,7 @@ in
     services.myWebsites.TellesFlorian.integration.enable = true;
     services.myWebsites.Florian.integration.enable = true;
 
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "apache-ldap";
       user = "wwwrun";
       group = "wwwrun";

diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 18d16a11757ea69670330b7cb968b0bf34d01558..610de0271ebff9721a10a696bc8029f57de6791c 100644 (file)
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -29,7 +29,7 @@ in {
       domain = "naturaloutil.immae.eu";
     };
 
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "webapps/prod-naturaloutil";
       user = "wwwrun";
       group = "wwwrun";

diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix
index a3d39229ab0755e20b810d30765bad00a0220e05..7fa33eda31b4817f9a35d83f74c15ca96053ac2e 100644 (file)
--- a/nixops/modules/websites/ludivine/default.nix
+++ b/nixops/modules/websites/ludivine/default.nix
@@ -21,7 +21,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
-      mySecrets.keys = ludivinecassal_prod.keys;
+      secrets.keys = ludivinecassal_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -54,7 +54,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = ludivinecassal_dev.keys;
+      secrets.keys = ludivinecassal_dev.keys;
       security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null;
 
       services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart;

diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix
index b2bd2fd4295b7b4623a072ca60d18dab44d90b90..d75170f7afd50afd8f092c2eb0783db360ee4535 100644 (file)
--- a/nixops/modules/websites/piedsjaloux/default.nix
+++ b/nixops/modules/websites/piedsjaloux/default.nix
@@ -25,7 +25,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
-      mySecrets.keys = piedsjaloux_prod.keys;
+      secrets.keys = piedsjaloux_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -58,7 +58,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = piedsjaloux_dev.keys;
+      secrets.keys = piedsjaloux_dev.keys;
       security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null;
       services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart;
       services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps;

diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix
index 16d788fc7cfbe93474ab63cf7a9df75079248d80..f86b0c54ab9ed12c0395fea18c474a82d4409b10 100644 (file)
--- a/nixops/modules/websites/tellesflorian/default.nix
+++ b/nixops/modules/websites/tellesflorian/default.nix
@@ -16,7 +16,7 @@ in {
   };
 
   config = lib.mkIf cfg.integration.enable {
-    mySecrets.keys = tellesflorian_dev.keys;
+    secrets.keys = tellesflorian_dev.keys;
     security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null;
     services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart;
     services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps;

diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix
index a7fcd6149a086aea15b91e122bca1012f315719d..8af29142e5e4e95d7f8e4f7ac6d6fe9fcf7cb585 100644 (file)
--- a/nixops/modules/websites/tools/cloud.nix
+++ b/nixops/modules/websites/tools/cloud.nix
@@ -80,7 +80,7 @@ in {
       ];
     };
 
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "webapps/tools-nextcloud";
       user = "wwwrun";
       group = "wwwrun";

diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
index c24f8db45a00b0b95e8d8614d113491f2028cf0e..bf5e412b39fa63c42c8ea0fbd25f7e68245f0e59 100644 (file)
--- a/nixops/modules/websites/tools/dav/default.nix
+++ b/nixops/modules/websites/tools/dav/default.nix
@@ -29,7 +29,7 @@ in {
   config = lib.mkIf cfg.enable {
     security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
 
-    mySecrets.keys = davical.keys;
+    secrets.keys = davical.keys;
     services.myWebsites.tools.modules = davical.apache.modules;
 
     services.myWebsites.tools.vhostConfs.dav = {

diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix
index 53989b7fa31b526fd8f718dadf820f37c3f29268..1088e714e04f6603508fcb0fae7baf83fd93b210 100644 (file)
--- a/nixops/modules/websites/tools/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora.nix
@@ -35,7 +35,7 @@ in {
     };
 
     users.groups.diaspora.gid = config.ids.gids.diaspora;
-    mySecrets.keys = [
+    secrets.keys = [
       {
         dest = "webapps/diaspora/diaspora.yml";
         user = "diaspora";

diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
index 1c952af5e43a3a3691ff0ee93ae4b9fd6fca0b10..80472f0d1431c27ac1bab570263a5a9d40f303a3 100644 (file)
--- a/nixops/modules/websites/tools/ether.nix
+++ b/nixops/modules/websites/tools/ether.nix
@@ -14,7 +14,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = [
+    secrets.keys = [
       {
         dest = "webapps/tools-etherpad-apikey";
         permissions = "0400";

diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
index e7dbd6f5ce074c368a727024a8aebe11ed0e6482..799c18097269650e7ee10c994a312f0485311259 100644 (file)
--- a/nixops/modules/websites/tools/git/default.nix
+++ b/nixops/modules/websites/tools/git/default.nix
@@ -16,7 +16,7 @@ in {
   config = lib.mkIf cfg.enable {
     security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
 
-    mySecrets.keys = mantisbt.keys;
+    secrets.keys = mantisbt.keys;
     services.myWebsites.tools.modules =
       gitweb.apache.modules ++
       mantisbt.apache.modules;

diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix
index 3279cf8d61425f49556fc58be8fbd1f43ca1b778..c461bec4ab71101d2575d9876ac1f0615622f954 100644 (file)
--- a/nixops/modules/websites/tools/mastodon.nix
+++ b/nixops/modules/websites/tools/mastodon.nix
@@ -16,7 +16,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "webapps/tools-mastodon";
       user = "mastodon";
       group = "mastodon";

diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix
index bdb832336f0fca1fbfbbaf15bd70cd116cd5c75f..bf45e8efddbf065db705c9949eaa11f9202e0bb1 100644 (file)
--- a/nixops/modules/websites/tools/mediagoblin.nix
+++ b/nixops/modules/websites/tools/mediagoblin.nix
@@ -9,7 +9,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "webapps/tools-mediagoblin";
       user = "mediagoblin";
       group = "mediagoblin";

diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix
index 9a56a85cb09690d61d63aa693cc11f16d92d230a..ab5e08a18c27f8517e7e8de0b67e36059bc3f6f8 100644 (file)
--- a/nixops/modules/websites/tools/peertube.nix
+++ b/nixops/modules/websites/tools/peertube.nix
@@ -16,7 +16,7 @@ in {
     };
     users.users.peertube.extraGroups = [ "keys" ];
 
-    mySecrets.keys = [{
+    secrets.keys = [{
       dest = "webapps/tools-peertube";
       user = "peertube";
       group = "peertube";

diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index addb2c31130e2b59ca7493eab5dfc68742c28120..7a14e12c44edbe9fd581a42900c0b067987b6d9c 100644 (file)
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -49,7 +49,7 @@ in {
     security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
     security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
 
-    mySecrets.keys =
+    secrets.keys =
       kanboard.keys
       ++ ldap.keys
       ++ roundcubemail.keys