From 1a7188052f235fb632700478fad0108e4306107d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 10 May 2019 14:56:43 +0200 Subject: [PATCH] Move secrets module outside of nixops --- modules/default.nix | 1 + modules/myids.nix | 3 ++ {nixops/modules => modules}/secrets.nix | 30 +++++++++++-------- nixops/eldiron.nix | 1 - nixops/modules/buildbot/default.nix | 2 +- nixops/modules/databases/mysql.nix | 2 +- nixops/modules/databases/openldap.nix | 2 +- nixops/modules/databases/postgresql.nix | 2 +- nixops/modules/ftp.nix | 2 +- nixops/modules/mail.nix | 2 -- nixops/modules/mpd.nix | 2 +- nixops/modules/ssh/default.nix | 2 +- nixops/modules/task/default.nix | 2 +- nixops/modules/websites/aten/default.nix | 4 +-- nixops/modules/websites/chloe/default.nix | 4 +-- .../websites/connexionswing/default.nix | 4 +-- nixops/modules/websites/default.nix | 2 +- nixops/modules/websites/ftp/jerome.nix | 2 +- nixops/modules/websites/ludivine/default.nix | 4 +-- .../modules/websites/piedsjaloux/default.nix | 4 +-- .../websites/tellesflorian/default.nix | 2 +- nixops/modules/websites/tools/cloud.nix | 2 +- nixops/modules/websites/tools/dav/default.nix | 2 +- nixops/modules/websites/tools/diaspora.nix | 2 +- nixops/modules/websites/tools/ether.nix | 2 +- nixops/modules/websites/tools/git/default.nix | 2 +- nixops/modules/websites/tools/mastodon.nix | 2 +- nixops/modules/websites/tools/mediagoblin.nix | 2 +- nixops/modules/websites/tools/peertube.nix | 2 +- .../modules/websites/tools/tools/default.nix | 2 +- 30 files changed, 52 insertions(+), 45 deletions(-) rename {nixops/modules => modules}/secrets.nix (64%) diff --git a/modules/default.nix b/modules/default.nix index fa67144..4445c55 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,5 +1,6 @@ { myids = ./myids.nix; + secrets = ./secrets.nix; mediagoblin = ./webapps/mediagoblin.nix; peertube = ./webapps/peertube.nix; diff --git a/modules/myids.nix b/modules/myids.nix index bd6caf3..8f74425 100644 --- a/modules/myids.nix +++ b/modules/myids.nix @@ -1,12 +1,15 @@ { ... }: { + # Check that there is no clash with nixos/modules/misc/ids.nix config = { ids.uids = { peertube = 394; + nullmailer = 396; mediagoblin = 397; }; ids.gids = { peertube = 394; + nullmailer = 396; mediagoblin = 397; }; }; diff --git a/nixops/modules/secrets.nix b/modules/secrets.nix similarity index 64% rename from nixops/modules/secrets.nix rename to modules/secrets.nix index 8500088..b282e56 100644 --- a/nixops/modules/secrets.nix +++ b/modules/secrets.nix @@ -1,14 +1,20 @@ -{ lib, pkgs, config, myconfig, mylibs, ... }: +{ lib, pkgs, config, ... }: { - options.mySecrets = { + options.secrets = { keys = lib.mkOption { type = lib.types.listOf lib.types.unspecified; - default = {}; + default = []; description = "Keys to upload to server"; }; + location = lib.mkOption { + type = lib.types.path; + default = "/var/secrets"; + description = "Location where to put the keys"; + }; }; config = let - keys = config.mySecrets.keys; + location = config.secrets.location; + keys = config.secrets.keys; empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; dumpKey = v: '' mkdir -p secrets/$(dirname ${v.dest}) @@ -25,19 +31,19 @@ tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" done ''; - in { + in lib.mkIf (builtins.length keys > 0) { system.activationScripts.secrets = { deps = [ "users" "wrappers" ]; text = '' - install -m0750 -o root -g keys -d /var/secrets + install -m0750 -o root -g keys -d ${location} if [ -f /run/keys/secrets.tar ]; then - if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then + if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then echo "rebuilding secrets" - rm -rf /var/secrets - install -m0750 -o root -g keys -d /var/secrets - ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar - sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets - find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; + rm -rf ${location} + install -m0750 -o root -g keys -d ${location} + ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar + sha512sum /run/keys/secrets.tar > ${location}/currentSecrets + find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; fi fi ''; diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 71615fa..7d97377 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix @@ -45,7 +45,6 @@ ./modules/irc.nix ./modules/buildbot ./modules/dns.nix - ./modules/secrets.nix ] ++ (builtins.attrValues (import ../modules)); services.myGitolite.enable = true; services.myDatabases.enable = true; diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix index 7632602..5cf833b 100644 --- a/nixops/modules/buildbot/default.nix +++ b/nixops/modules/buildbot/default.nix @@ -106,7 +106,7 @@ in ''; }) myconfig.env.buildbot.projects; - mySecrets.keys = ( + secrets.keys = ( lib.lists.flatten ( lib.attrsets.mapAttrsToList (k: project: lib.attrsets.mapAttrsToList (k: v: diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix index 2d56155..23b8b90 100644 --- a/nixops/modules/databases/mysql.nix +++ b/nixops/modules/databases/mysql.nix @@ -44,7 +44,7 @@ in { ''; }; - mySecrets.keys = [ + secrets.keys = [ { dest = "mysql/mysqldump"; permissions = "0400"; diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index a447ccc..542e209 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix @@ -56,7 +56,7 @@ in { }; config = lib.mkIf cfg.enable { - mySecrets.keys = [ + secrets.keys = [ { dest = "ldap/password"; permissions = "0400"; diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix index b113e9f..3a58c48 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/nixops/modules/databases/postgresql.nix @@ -69,7 +69,7 @@ in { ''; }; - mySecrets.keys = [ + secrets.keys = [ { dest = "postgresql/pam"; permissions = "0400"; diff --git a/nixops/modules/ftp.nix b/nixops/modules/ftp.nix index 541e119..871e9ef 100644 --- a/nixops/modules/ftp.nix +++ b/nixops/modules/ftp.nix @@ -43,7 +43,7 @@ install -m 0755 -o ftp -g ftp -d /var/lib/ftp ''; - mySecrets.keys = [{ + secrets.keys = [{ dest = "pure-ftpd-ldap"; permissions = "0400"; user = "ftp"; diff --git a/nixops/modules/mail.nix b/nixops/modules/mail.nix index 6ec9165..993e5f1 100644 --- a/nixops/modules/mail.nix +++ b/nixops/modules/mail.nix @@ -1,7 +1,5 @@ { lib, pkgs, config, myconfig, mylibs, ... }: { - config.ids.uids.nullmailer = myconfig.env.users.nullmailer.uid; - config.ids.gids.nullmailer = myconfig.env.users.nullmailer.gid; config.users.users.nullmailer.uid = config.ids.uids.nullmailer; config.users.groups.nullmailer.gid = config.ids.gids.nullmailer; diff --git a/nixops/modules/mpd.nix b/nixops/modules/mpd.nix index 7c896ca..83c225b 100644 --- a/nixops/modules/mpd.nix +++ b/nixops/modules/mpd.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, myconfig, mylibs, ... }: { config = { - mySecrets.keys = [ + secrets.keys = [ { dest = "mpd"; permissions = "0400"; diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix index 4dc0d65..e8d6063 100644 --- a/nixops/modules/ssh/default.nix +++ b/nixops/modules/ssh/default.nix @@ -8,7 +8,7 @@ AuthorizedKeysCommandUser nobody ''; - mySecrets.keys = [{ + secrets.keys = [{ dest = "ssh-ldap"; user = "nobody"; group = "nogroup"; diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 1f5ddd2..01d032d 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix @@ -86,7 +86,7 @@ in { }; config = lib.mkIf cfg.enable { - mySecrets.keys = [{ + secrets.keys = [{ dest = "webapps/tools-taskwarrior-web"; user = "wwwrun"; group = "wwwrun"; diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix index 6f58d3c..f6efe01 100644 --- a/nixops/modules/websites/aten/default.nix +++ b/nixops/modules/websites/aten/default.nix @@ -25,7 +25,7 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { - mySecrets.keys = aten_prod.keys; + secrets.keys = aten_prod.keys; services.myWebsites.commons.stats.enable = true; services.myWebsites.commons.stats.sites = [ { @@ -59,7 +59,7 @@ in { }; }) (lib.mkIf cfg.integration.enable { - mySecrets.keys = aten_dev.keys; + secrets.keys = aten_dev.keys; security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null; services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps; diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix index 33ced2e..0ea9213 100644 --- a/nixops/modules/websites/chloe/default.nix +++ b/nixops/modules/websites/chloe/default.nix @@ -25,7 +25,7 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { - mySecrets.keys = chloe_prod.keys; + secrets.keys = chloe_prod.keys; services.myWebsites.commons.stats.enable = true; services.myWebsites.commons.stats.sites = [ { @@ -60,7 +60,7 @@ in { }; }) (lib.mkIf cfg.integration.enable { - mySecrets.keys = chloe_dev.keys; + secrets.keys = chloe_dev.keys; security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix index c0036d8..2966cb8 100644 --- a/nixops/modules/websites/connexionswing/default.nix +++ b/nixops/modules/websites/connexionswing/default.nix @@ -25,7 +25,7 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { - mySecrets.keys = connexionswing_prod.keys; + secrets.keys = connexionswing_prod.keys; services.myWebsites.commons.stats.enable = true; services.myWebsites.commons.stats.sites = [ { @@ -61,7 +61,7 @@ in { }; }) (lib.mkIf cfg.integration.enable { - mySecrets.keys = connexionswing_dev.keys; + secrets.keys = connexionswing_dev.keys; security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null; security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null; services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart; diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index 555e780..ceef1e1 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix @@ -228,7 +228,7 @@ in services.myWebsites.TellesFlorian.integration.enable = true; services.myWebsites.Florian.integration.enable = true; - mySecrets.keys = [{ + secrets.keys = [{ dest = "apache-ldap"; user = "wwwrun"; group = "wwwrun"; diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix index 18d16a1..610de02 100644 --- a/nixops/modules/websites/ftp/jerome.nix +++ b/nixops/modules/websites/ftp/jerome.nix @@ -29,7 +29,7 @@ in { domain = "naturaloutil.immae.eu"; }; - mySecrets.keys = [{ + secrets.keys = [{ dest = "webapps/prod-naturaloutil"; user = "wwwrun"; group = "wwwrun"; diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix index a3d3922..7fa33ed 100644 --- a/nixops/modules/websites/ludivine/default.nix +++ b/nixops/modules/websites/ludivine/default.nix @@ -21,7 +21,7 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { - mySecrets.keys = ludivinecassal_prod.keys; + secrets.keys = ludivinecassal_prod.keys; services.myWebsites.commons.stats.enable = true; services.myWebsites.commons.stats.sites = [ { @@ -54,7 +54,7 @@ in { }; }) (lib.mkIf cfg.integration.enable { - mySecrets.keys = ludivinecassal_dev.keys; + secrets.keys = ludivinecassal_dev.keys; security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart; diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix index b2bd2fd..d75170f 100644 --- a/nixops/modules/websites/piedsjaloux/default.nix +++ b/nixops/modules/websites/piedsjaloux/default.nix @@ -25,7 +25,7 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { - mySecrets.keys = piedsjaloux_prod.keys; + secrets.keys = piedsjaloux_prod.keys; services.myWebsites.commons.stats.enable = true; services.myWebsites.commons.stats.sites = [ { @@ -58,7 +58,7 @@ in { }; }) (lib.mkIf cfg.integration.enable { - mySecrets.keys = piedsjaloux_dev.keys; + secrets.keys = piedsjaloux_dev.keys; security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps; diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix index 16d788f..f86b0c5 100644 --- a/nixops/modules/websites/tellesflorian/default.nix +++ b/nixops/modules/websites/tellesflorian/default.nix @@ -16,7 +16,7 @@ in { }; config = lib.mkIf cfg.integration.enable { - mySecrets.keys = tellesflorian_dev.keys; + secrets.keys = tellesflorian_dev.keys; security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart; services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps; diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix index a7fcd61..8af2914 100644 --- a/nixops/modules/websites/tools/cloud.nix +++ b/nixops/modules/websites/tools/cloud.nix @@ -80,7 +80,7 @@ in { ]; }; - mySecrets.keys = [{ + secrets.keys = [{ dest = "webapps/tools-nextcloud"; user = "wwwrun"; group = "wwwrun"; diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix index c24f8db..bf5e412 100644 --- a/nixops/modules/websites/tools/dav/default.nix +++ b/nixops/modules/websites/tools/dav/default.nix @@ -29,7 +29,7 @@ in { config = lib.mkIf cfg.enable { security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null; - mySecrets.keys = davical.keys; + secrets.keys = davical.keys; services.myWebsites.tools.modules = davical.apache.modules; services.myWebsites.tools.vhostConfs.dav = { diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix index 53989b7..1088e71 100644 --- a/nixops/modules/websites/tools/diaspora.nix +++ b/nixops/modules/websites/tools/diaspora.nix @@ -35,7 +35,7 @@ in { }; users.groups.diaspora.gid = config.ids.gids.diaspora; - mySecrets.keys = [ + secrets.keys = [ { dest = "webapps/diaspora/diaspora.yml"; user = "diaspora"; diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix index 1c952af..80472f0 100644 --- a/nixops/modules/websites/tools/ether.nix +++ b/nixops/modules/websites/tools/ether.nix @@ -14,7 +14,7 @@ in { }; config = lib.mkIf cfg.enable { - mySecrets.keys = [ + secrets.keys = [ { dest = "webapps/tools-etherpad-apikey"; permissions = "0400"; diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix index e7dbd6f..799c180 100644 --- a/nixops/modules/websites/tools/git/default.nix +++ b/nixops/modules/websites/tools/git/default.nix @@ -16,7 +16,7 @@ in { config = lib.mkIf cfg.enable { security.acme.certs."eldiron".extraDomains."git.immae.eu" = null; - mySecrets.keys = mantisbt.keys; + secrets.keys = mantisbt.keys; services.myWebsites.tools.modules = gitweb.apache.modules ++ mantisbt.apache.modules; diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix index 3279cf8..c461bec 100644 --- a/nixops/modules/websites/tools/mastodon.nix +++ b/nixops/modules/websites/tools/mastodon.nix @@ -16,7 +16,7 @@ in { }; config = lib.mkIf cfg.enable { - mySecrets.keys = [{ + secrets.keys = [{ dest = "webapps/tools-mastodon"; user = "mastodon"; group = "mastodon"; diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix index bdb8323..bf45e8e 100644 --- a/nixops/modules/websites/tools/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin.nix @@ -9,7 +9,7 @@ in { }; config = lib.mkIf cfg.enable { - mySecrets.keys = [{ + secrets.keys = [{ dest = "webapps/tools-mediagoblin"; user = "mediagoblin"; group = "mediagoblin"; diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix index 9a56a85..ab5e08a 100644 --- a/nixops/modules/websites/tools/peertube.nix +++ b/nixops/modules/websites/tools/peertube.nix @@ -16,7 +16,7 @@ in { }; users.users.peertube.extraGroups = [ "keys" ]; - mySecrets.keys = [{ + secrets.keys = [{ dest = "webapps/tools-peertube"; user = "peertube"; group = "peertube"; diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index addb2c3..7a14e12 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix @@ -49,7 +49,7 @@ in { security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; - mySecrets.keys = + secrets.keys = kanboard.keys ++ ldap.keys ++ roundcubemail.keys -- 2.41.0