From 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 16 Oct 2021 17:40:07 +0200 Subject: [PATCH] Use attrs for secrets instead of lists --- flakes/private/openarc/flake.lock | 2 +- flakes/private/opendmarc/flake.lock | 2 +- flakes/private/opendmarc/flake.nix | 9 +-- flakes/secrets/flake.nix | 49 +++++++++++-- modules/duply_backup/default.nix | 19 ++--- modules/naemon/default.nix | 9 +-- modules/private/buildbot/default.nix | 36 ++++----- modules/private/databases/mariadb.nix | 19 ++--- .../private/databases/mariadb_replication.nix | 24 +++--- .../private/databases/openldap/default.nix | 19 ++--- .../databases/openldap_replication.nix | 14 ++-- modules/private/databases/postgresql.nix | 14 ++-- .../databases/postgresql_replication.nix | 19 ++--- modules/private/databases/redis.nix | 14 ++-- .../private/databases/redis_replication.nix | 14 ++-- modules/private/dns.nix | 5 +- modules/private/ejabberd/default.nix | 14 ++-- modules/private/ftp.nix | 5 +- modules/private/gitolite/default.nix | 5 +- modules/private/mail/dovecot.nix | 45 ++++++------ modules/private/mail/milters.nix | 19 ++--- modules/private/mail/opensmtpd.nix | 19 ++--- modules/private/mail/postfix.nix | 42 +++++------ modules/private/mail/relay.nix | 24 +++--- modules/private/mail/sympa.nix | 17 ++--- modules/private/monitoring/default.nix | 13 ++-- modules/private/monitoring/status.nix | 19 ++--- modules/private/monitoring/status_engine.nix | 5 +- modules/private/mpd.nix | 14 ++-- modules/private/ssh/default.nix | 5 +- modules/private/system/backup-2.nix | 14 ++-- modules/private/system/eldiron.nix | 14 ++-- modules/private/system/monitoring-1.nix | 9 +-- modules/private/system/quatresaisons.nix | 14 ++-- .../system/quatresaisons/databases.nix | 14 ++-- modules/private/tasks/default.nix | 10 +-- modules/private/vpn/default.nix | 14 ++-- .../private/websites/chloe/integration.nix | 43 +++++------ modules/private/websites/chloe/production.nix | 43 +++++------ .../websites/connexionswing/integration.nix | 47 ++++++------ .../websites/connexionswing/production.nix | 55 +++++++------- modules/private/websites/default.nix | 5 +- modules/private/websites/florian/app.nix | 14 ++-- modules/private/websites/immae/temp.nix | 33 ++++----- .../websites/isabelle/aten_integration.nix | 5 +- .../websites/isabelle/aten_production.nix | 5 +- .../private/websites/isabelle/iridologie.nix | 43 +++++------ .../private/websites/jerome/naturaloutil.nix | 5 +- .../private/websites/ludivine/integration.nix | 73 +++++++++---------- .../private/websites/ludivine/production.nix | 73 +++++++++---------- .../websites/piedsjaloux/integration.nix | 49 ++++++------- .../websites/piedsjaloux/production.nix | 49 ++++++------- .../private/websites/richie/production.nix | 5 +- modules/private/websites/syden/peertube.nix | 5 +- .../private/websites/tools/cloud/default.nix | 5 +- .../websites/tools/commento/default.nix | 11 ++- .../private/websites/tools/dav/davical.nix | 5 +- .../websites/tools/diaspora/default.nix | 24 +++--- .../private/websites/tools/ether/default.nix | 19 ++--- .../private/websites/tools/git/mantisbt.nix | 5 +- .../websites/tools/mail/roundcubemail.nix | 5 +- .../websites/tools/mastodon/default.nix | 5 +- .../websites/tools/mgoblin/default.nix | 5 +- .../websites/tools/peertube/default.nix | 5 +- .../websites/tools/performance/default.nix | 9 +-- .../private/websites/tools/stats/default.nix | 9 +-- .../websites/tools/tools/csp_reports.nix | 5 +- .../private/websites/tools/tools/default.nix | 16 ++-- .../websites/tools/tools/dmarc_reports.nix | 5 +- .../private/websites/tools/tools/kanboard.nix | 5 +- modules/private/websites/tools/tools/ldap.nix | 5 +- .../private/websites/tools/tools/shaarli.nix | 5 +- .../private/websites/tools/tools/ttrss.nix | 5 +- .../private/websites/tools/tools/wallabag.nix | 5 +- .../private/websites/tools/tools/webhooks.nix | 19 ++--- .../private/websites/tools/tools/yourls.nix | 5 +- modules/zrepl.nix | 9 +-- 77 files changed, 617 insertions(+), 729 deletions(-) diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock index 744d002..be75993 100644 --- a/flakes/private/openarc/flake.lock +++ b/flakes/private/openarc/flake.lock @@ -146,7 +146,7 @@ }, "secrets": { "locked": { - "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", + "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=", "path": "../../secrets", "type": "path" }, diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index bd5019c..f40e1a9 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock @@ -129,7 +129,7 @@ }, "secrets": { "locked": { - "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", + "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=", "path": "../../secrets", "type": "path" }, diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index 2b73070..e2575e7 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix @@ -53,9 +53,8 @@ config.secrets.fullPaths."opendmarc/ignore.hosts" ]; }; - secrets.keys = [ - { - dest = "opendmarc/ignore.hosts"; + secrets.keys = { + "opendmarc/ignore.hosts" = { user = config.services.opendmarc.user; group = config.services.opendmarc.group; permissions = "0400"; @@ -67,8 +66,8 @@ builtins.concatStringsSep "\n" ([ config.myEnv.mail.dmarc.ignore_hosts ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); - } - ]; + }; + }; }; }; in diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix index 0ee6a40..ef74a30 100644 --- a/flakes/secrets/flake.nix +++ b/flakes/secrets/flake.nix @@ -5,9 +5,42 @@ nixosModule = { config, lib, pkgs, ... }: { options.secrets = with lib; { keys = mkOption { - type = types.listOf types.unspecified; - default = []; - description = "Keys to upload to server"; + type = types.attrsOf (types.submodule { + options = { + isTemplated = mkOption { + type = types.bool; + default = true; + description = "If the file is a gucci template that needs to be resolved"; + }; + isDir = mkOption { + type = types.bool; + default = false; + description = "If the entry is a directory"; + }; + group = mkOption { + type = types.str; + default = "root"; + description = "Group to associate to the entry"; + }; + user = mkOption { + type = types.str; + default = "root"; + description = "User to associate to the entry"; + }; + permissions = mkOption { + type = types.str; + default = "0600"; + description = "Permissions to associate to the entry"; + }; + text = mkOption { + type = types.str; + description = "Content of the entry"; + }; + }; + }); + default = {}; + description = "Keys attrs to upload to the server"; + apply = lib.mapAttrsToList (dest: v: v // { inherit dest; }); }; gpgKeys = mkOption { type = types.listOf types.path; @@ -52,20 +85,20 @@ location = config.secrets.location; keys = config.secrets.keys; empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; - fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; + fpath = v: "secrets/${v.dest}${lib.optionalString v.isTemplated ".gucci.tpl"}"; dumpKey = v: - if v.isDir or false then + if v.isDir then '' mkdir -p secrets/${v.dest} cat >> mods < ${fpath v} cat >> mods < 0) " -not \\( ${exclPath} \\) "; diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix index 7034a91..846b1d4 100644 --- a/modules/duply_backup/default.nix +++ b/modules/duply_backup/default.nix @@ -75,24 +75,21 @@ in system.activationScripts.backup = '' install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches ''; - secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (k: v: map (remote: [ - { + (lib.nameValuePair "backup/${varName k remote}/conf" { permissions = "0400"; - dest = "backup/${varName k remote}/conf"; text = duplyProfile v remote "${k}/"; - } - { + }) + (lib.nameValuePair "backup/${varName k remote}/exclude" { permissions = "0400"; - dest = "backup/${varName k remote}/exclude"; text = v.excludeFile; - } - { + }) + (lib.nameValuePair "backup/${varName k remote}" { permissions = "0500"; - dest = "backup/${varName k remote}"; isDir = true; - } - ]) v.remotes) config.services.duplyBackup.profiles); + }) + ]) v.remotes) config.services.duplyBackup.profiles)); services.cron = { enable = true; diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix index 976de69..60a75b3 100644 --- a/modules/naemon/default.nix +++ b/modules/naemon/default.nix @@ -124,9 +124,8 @@ in config = mkIf cfg.enable { - secrets.keys = [ - { - dest = "naemon/resources.cfg"; + secrets.keys = { + "naemon/resources.cfg" = { user = cfg.user; group = cfg.group; permissions = "0400"; @@ -134,8 +133,8 @@ in $USER1$=${pkgs.monitoring-plugins}/libexec ${cfg.extraResource} ''; - } - ]; + }; + }; users.users = optionalAttrs (cfg.user == "naemon") { naemon = { diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 903f453..dc8a0d2 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -76,33 +76,30 @@ in ''; }) config.myEnv.buildbot.projects; - secrets.keys = ( + secrets.keys = lib.listToAttrs ( lib.lists.flatten ( lib.attrsets.mapAttrsToList (k: project: lib.attrsets.mapAttrsToList (k: v: - { + (lib.nameValuePair "buildbot/${project.name}/${k}" { permissions = "0600"; user = "buildbot"; group = "buildbot"; text = v; - dest = "buildbot/${project.name}/${k}"; - } + }) ) project.secrets ++ [ - { + (lib.nameValuePair "buildbot/${project.name}/webhook-httpd-include" { permissions = "0600"; user = "wwwrun"; group = "wwwrun"; text = lib.optionalString (project.webhookTokens != null) '' Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" ''; - dest = "buildbot/${project.name}/webhook-httpd-include"; - } - { + }) + (lib.nameValuePair "buildbot/${project.name}/environment_file" { permissions = "0600"; user = "buildbot"; group = "buildbot"; - dest = "buildbot/${project.name}/environment_file"; text = let project_env = with lib.attrsets; mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment // @@ -115,33 +112,30 @@ in }; in builtins.concatStringsSep "\n" (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env); - } + }) ] ) config.myEnv.buildbot.projects ) - ) ++ [ - { + ) // { + "buildbot/ldap" = { permissions = "0600"; user = "buildbot"; group = "buildbot"; text = config.myEnv.buildbot.ldap.password; - dest = "buildbot/ldap"; - } - { + }; + "buildbot/worker_password" = { permissions = "0600"; user = "buildbot"; group = "buildbot"; text = config.myEnv.buildbot.workerPassword; - dest = "buildbot/worker_password"; - } - { + }; + "buildbot/ssh_key" = { permissions = "0600"; user = "buildbot"; group = "buildbot"; text = config.myEnv.buildbot.ssh_key.private; - dest = "buildbot/ssh_key"; - } - ]; + }; + }; services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { restart = true; diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 75ea747..101eb3f 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -121,9 +121,8 @@ in { ''; }; - secrets.keys = [ - { - dest = "mysql/mysqldump"; + secrets.keys = { + "mysql/mysqldump" = { permissions = "0400"; user = "root"; group = "root"; @@ -132,9 +131,8 @@ in { user = root password = ${cfg.credentials.root} ''; - } - { - dest = "mysql/pam"; + }; + "mysql/pam" = { permissions = "0400"; user = "mysql"; group = "mysql"; @@ -146,9 +144,8 @@ in { pam_filter ${filter} ssl start_tls ''; - } - { - dest = "mysql/pam_replication"; + }; + "mysql/pam_replication" = { permissions = "0400"; user = "mysql"; group = "mysql"; @@ -160,8 +157,8 @@ in { pam_login_attribute cn ssl start_tls ''; - } - ]; + }; + }; security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix index e857c41..68e6f7f 100644 --- a/modules/private/databases/mariadb_replication.nix +++ b/modules/private/databases/mariadb_replication.nix @@ -81,9 +81,8 @@ in }; users.groups.mysql.gid = config.ids.gids.mysql; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "mysql_replication/${name}/slave_init_commands"; + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ + (lib.nameValuePair "mysql_replication/${name}/slave_init_commands" { user = "mysql"; group = "mysql"; permissions = "0400"; @@ -91,9 +90,8 @@ in CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos; START SLAVE; ''; - } - { - dest = "mysql_replication/${name}/mysqldump_remote"; + }) + (lib.nameValuePair "mysql_replication/${name}/mysqldump_remote" { permissions = "0400"; user = "root"; group = "root"; @@ -102,9 +100,8 @@ in user = ${hcfg.user} password = ${hcfg.password} ''; - } - { - dest = "mysql_replication/${name}/mysqldump"; + }) + (lib.nameValuePair "mysql_replication/${name}/mysqldump" { permissions = "0400"; user = "root"; group = "root"; @@ -113,9 +110,8 @@ in user = ${hcfg.dumpUser} password = ${hcfg.dumpPassword} ''; - } - { - dest = "mysql_replication/${name}/client"; + }) + (lib.nameValuePair "mysql_replication/${name}/client" { permissions = "0400"; user = "mysql"; group = "mysql"; @@ -124,8 +120,8 @@ in user = ${hcfg.dumpUser} password = ${hcfg.dumpPassword} ''; - } - ]) cfg.hosts); + }) + ]) cfg.hosts)); services.cron = { enable = true; diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index f4851b5..d35aca0 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -85,29 +85,26 @@ in }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "ldap/password"; + secrets.keys = { + "ldap/password" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = "rootpw ${cfg.rootPw}"; - } - { - dest = "ldap/access"; + }; + "ldap/access" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = builtins.readFile cfg.accessFile; - } - { - dest = "ldap"; + }; + "ldap" = { permissions = "0500"; user = "openldap"; group = "openldap"; isDir = true; - } - ]; + }; + }; users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 350eecf..b456323 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix @@ -87,9 +87,8 @@ in }; users.groups.openldap.gid = config.ids.gids.openldap; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "openldap_replication/${name}/replication_config"; + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ + (lib.nameValuePair "openldap_replication/${name}/replication_config" { user = "openldap"; group = "openldap"; permissions = "0400"; @@ -105,15 +104,14 @@ in binddn="${hcfg.dn}" credentials="${hcfg.password}" ''; - } - { - dest = "openldap_replication/${name}/replication_password"; + }) + (lib.nameValuePair "openldap_replication/${name}/replication_password" { user = "openldap"; group = "openldap"; permissions = "0400"; text = hcfg.password; - } - ]) cfg.hosts); + }) + ]) cfg.hosts)); services.cron = { enable = true; diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index e73bf69..a6c4cc9 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -178,9 +178,8 @@ in { ''; }; - secrets.keys = [ - { - dest = "postgresql/pam"; + secrets.keys = { + "postgresql/pam" = { permissions = "0400"; group = "postgres"; user = "postgres"; @@ -192,9 +191,8 @@ in { pam_filter ${filter} ssl start_tls ''; - } - { - dest = "postgresql/pam_replication"; + }; + "postgresql/pam_replication" = { permissions = "0400"; group = "postgres"; user = "postgres"; @@ -206,8 +204,8 @@ in { pam_login_attribute cn ssl start_tls ''; - } - ]; + }; + }; security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; diff --git a/modules/private/databases/postgresql_replication.nix b/modules/private/databases/postgresql_replication.nix index b103b8c..135bbed 100644 --- a/modules/private/databases/postgresql_replication.nix +++ b/modules/private/databases/postgresql_replication.nix @@ -62,9 +62,8 @@ in users.groups.postgres.gid = config.ids.gids.postgres; environment.systemPackages = [ cfg.mainPackage ]; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "postgresql_replication/${name}/recovery.conf"; + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ + (lib.nameValuePair "postgresql_replication/${name}/recovery.conf" { user = "postgres"; group = "postgres"; permissions = "0400"; @@ -73,16 +72,14 @@ in primary_conninfo = '${hcfg.connection}?sslmode=require' primary_slot_name = '${hcfg.slot}' ''; - } - { - dest = "postgresql_replication/${name}/connection_string"; + }) + (lib.nameValuePair "postgresql_replication/${name}/connection_string" { user = "postgres"; group = "postgres"; permissions = "0400"; text = hcfg.connection; - } - { - dest = "postgresql_replication/${name}/postgresql.conf"; + }) + (lib.nameValuePair "postgresql_replication/${name}/postgresql.conf" { user = "postgres"; group = "postgres"; permissions = "0400"; @@ -94,8 +91,8 @@ in data_directory = '${dataDir}' wal_level = logical ''; - } - ]) cfg.hosts); + }) + ]) cfg.hosts)); services.cron = { enable = true; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 5c5b8b0..685fa46 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -74,9 +74,8 @@ in { }; networking.firewall.allowedTCPPorts = [ 7617 16379 ]; - secrets.keys = [ - { - dest = "redis/predixy.conf"; + secrets.keys = { + "redis/predixy.conf" = { user = "redis"; group = "redis"; permissions = "0400"; @@ -100,15 +99,14 @@ in { } } ''; - } - { - dest = "redis/spiped_keyfile"; + }; + "redis/spiped_keyfile" = { user = "spiped"; group = "spiped"; permissions = "0400"; text = config.myEnv.databases.redis.spiped_key; - } - ]; + }; + }; systemd.slices.redis = { description = "Redis slice"; diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix index 3caa7e9..9e48939 100644 --- a/modules/private/databases/redis_replication.nix +++ b/modules/private/databases/redis_replication.nix @@ -68,9 +68,8 @@ in }; }; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "redis_replication/${name}/config"; + secrets.keys = lib.mapAttrs' (name: hcfg: + lib.nameValuePair "redis_replication/${name}/config" { user = "redis"; group = "redis"; permissions = "0400"; @@ -97,15 +96,14 @@ in maxclients 1024 ''; } - ]) cfg.hosts) ++ [ - { # For eldiron only - dest = "redis/spiped_eldiron_keyfile"; + ) cfg.hosts // { + "redis/spiped_eldiron_keyfile" = { # For eldiron only user = "spiped"; group = "spiped"; permissions = "0400"; text = config.myEnv.databases.redis.spiped_key; - } - ]; + }; + }; services.cron = { enable = true; diff --git a/modules/private/dns.nix b/modules/private/dns.nix index 32c52a9..1d7fd52 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix @@ -87,9 +87,8 @@ networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ]; users.users.named.extraGroups = [ "keys" ]; - secrets.keys = lib.mapAttrsToList (k: v: - { - dest = "bind/${k}.key"; + secrets.keys = lib.mapAttrs' (k: v: + lib.nameValuePair "bind/${k}.key" { permissions = "0400"; user = "named"; text = '' diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix index d051d79..4d86a64 100644 --- a/modules/private/ejabberd/default.nix +++ b/modules/private/ejabberd/default.nix @@ -37,9 +37,8 @@ in systemd.services.ejabberd.postStop = '' rm /var/log/ejabberd/erl_crash*.dump ''; - secrets.keys = [ - { - dest = "ejabberd/psql.yml"; + secrets.keys = { + "ejabberd/psql.yml" = { permissions = "0400"; user = "ejabberd"; group = "ejabberd"; @@ -50,9 +49,8 @@ in sql_username: "${config.myEnv.jabber.postgresql.user}" sql_password: "${config.myEnv.jabber.postgresql.password}" ''; - } - { - dest = "ejabberd/host.yml"; + }; + "ejabberd/host.yml" = { permissions = "0400"; user = "ejabberd"; group = "ejabberd"; @@ -71,8 +69,8 @@ in immaeXmppUid: "%u" ldap_filter: "${config.myEnv.jabber.ldap.filter}" ''; - } - ]; + }; + }; users.users.ejabberd.extraGroups = [ "keys" ]; services.ejabberd = { package = pkgs.ejabberd.override { withPgsql = true; }; diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 07db0f4..1428198 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix @@ -47,8 +47,7 @@ in install -m 0755 -o ftp -g ftp -d /var/lib/ftp ''; - secrets.keys = [{ - dest = "pure-ftpd-ldap"; + secrets.keys."pure-ftpd-ldap" = { permissions = "0400"; user = "ftp"; group = "ftp"; @@ -71,7 +70,7 @@ in # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid LDAPHomeDir immaeFtpDirectory ''; - }]; + }; services.filesWatcher.pure-ftpd = { restart = true; diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 0fb1a99..20d2cd5 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix @@ -21,13 +21,12 @@ in { }; networking.firewall.allowedTCPPorts = [ 9418 ]; - secrets.keys = [{ - dest = "gitolite/ldap_password"; + secrets.keys."gitolite/ldap_password" = { user = "gitolite"; group = "gitolite"; permissions = "0400"; text = config.myEnv.tools.gitolite.ldap.password; - }]; + }; services.gitDaemon = { enable = true; diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 23e795f..0ef3467 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix @@ -18,36 +18,33 @@ in + /var/lib/dhparams + /var/lib/dovecot ''; - secrets.keys = [ - { - dest = "dovecot/ldap"; - user = config.services.dovecot2.user; - group = config.services.dovecot2.group; - permissions = "0400"; - text = '' - hosts = ${config.myEnv.mail.dovecot.ldap.host} - tls = yes + secrets.keys."dovecot/ldap" = { + user = config.services.dovecot2.user; + group = config.services.dovecot2.group; + permissions = "0400"; + text = '' + hosts = ${config.myEnv.mail.dovecot.ldap.host} + tls = yes - dn = ${config.myEnv.mail.dovecot.ldap.dn} - dnpass = ${config.myEnv.mail.dovecot.ldap.password} + dn = ${config.myEnv.mail.dovecot.ldap.dn} + dnpass = ${config.myEnv.mail.dovecot.ldap.password} - auth_bind = yes + auth_bind = yes - ldap_version = 3 + ldap_version = 3 - base = ${config.myEnv.mail.dovecot.ldap.base} - scope = subtree + base = ${config.myEnv.mail.dovecot.ldap.base} + scope = subtree - pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} - pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} + pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} + pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} - user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} - user_filter = ${config.myEnv.mail.dovecot.ldap.filter} - iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} - iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} - ''; - } - ]; + user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} + user_filter = ${config.myEnv.mail.dovecot.ldap.filter} + iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} + iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} + ''; + }; users.users.vhost = { group = "vhost"; diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 172e216..4b93a7a 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -17,30 +17,27 @@ ''; }; config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { - secrets.keys = [ - { - dest = "opendkim"; + secrets.keys = { + "opendkim" = { isDir = true; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0550"; - } - { - dest = "opendkim/eldiron.private"; + }; + "opendkim/eldiron.private" = { user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0400"; text = config.myEnv.mail.dkim.eldiron.private; - } - { - dest = "opendkim/eldiron.txt"; + }; + "opendkim/eldiron.txt" = { user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0444"; text = '' eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; - } - ]; + }; + }; users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; services.opendkim = { enable = true; diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix index a7be066..e05bba9 100644 --- a/modules/private/mail/opensmtpd.nix +++ b/modules/private/mail/opensmtpd.nix @@ -1,17 +1,14 @@ { lib, pkgs, config, name, ... }: { config = lib.mkIf config.myServices.mailRelay.enable { - secrets.keys = [ - { - dest = "opensmtpd/creds"; - user = "smtpd"; - group = "smtpd"; - permissions = "0400"; - text = '' - eldiron ${name}:${config.hostEnv.ldap.password} - ''; - } - ]; + secrets.keys."opensmtpd/creds" = { + user = "smtpd"; + group = "smtpd"; + permissions = "0400"; + text = '' + eldiron ${name}:${config.hostEnv.ldap.password} + ''; + }; users.users.smtpd.extraGroups = [ "keys" ]; services.opensmtpd = { enable = true; diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index de5e59d..054b93e 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -4,9 +4,8 @@ services.duplyBackup.profiles.mail.excludeFile = '' + /var/lib/postfix ''; - secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; + secrets.keys = { + "postfix/mysql_alias_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -32,9 +31,8 @@ FROM forwardings_blacklisted WHERE source = '%s' ''; - } - { - dest = "postfix/ldap_mailboxes"; + }; + "postfix/ldap_mailboxes" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -48,9 +46,8 @@ result_format = dummy version = 3 ''; - } - { - dest = "postfix/mysql_sender_login_maps"; + }; + "postfix/mysql_sender_login_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -72,9 +69,8 @@ AND active = 1 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination ''; - } - { - dest = "postfix/mysql_sender_relays_maps"; + }; + "postfix/mysql_sender_relays_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -102,9 +98,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_hosts"; + }; + "postfix/mysql_sender_relays_hosts" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -122,9 +117,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/mysql_sender_relays_creds"; + }; + "postfix/mysql_sender_relays_creds" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -142,9 +136,8 @@ ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) AND active = 1 ''; - } - { - dest = "postfix/ldap_ejabberd_users_immae_fr"; + }; + "postfix/ldap_ejabberd_users_immae_fr" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -159,14 +152,13 @@ result_format = ejabberd@localhost version = 3 ''; - } - ] ++ (lib.mapAttrsToList (name: v: { - dest = "postfix/scripts/${name}-env"; + }; + } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" { user = "postfixscripts"; group = "root"; permissions = "0400"; text = builtins.toJSON v.env; - }) config.myEnv.mail.scripts); + }) config.myEnv.mail.scripts; networking.firewall.allowedTCPPorts = [ 25 465 587 ]; diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 651452c..668d365 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix @@ -13,9 +13,8 @@ mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx; in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); }; - secrets.keys = [ - { - dest = "postfix/mysql_alias_maps"; + secrets.keys = { + "postfix/mysql_alias_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -41,9 +40,8 @@ FROM forwardings_blacklisted WHERE source = '%s' ''; - } - { - dest = "postfix/ldap_mailboxes"; + }; + "postfix/ldap_mailboxes" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -57,9 +55,8 @@ result_format = dummy version = 3 ''; - } - { - dest = "postfix/sympa_mailbox_maps"; + }; + "postfix/sympa_mailbox_maps" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -82,9 +79,8 @@ CONCAT('abuse-feedback-report@', robot_list) ) ''; - } - { - dest = "postfix/ldap_ejabberd_users_immae_fr"; + }; + "postfix/ldap_ejabberd_users_immae_fr" = { user = config.services.postfix.user; group = config.services.postfix.group; permissions = "0440"; @@ -99,8 +95,8 @@ result_format = ejabberd@localhost version = 3 ''; - } - ]; + }; + }; networking.firewall.allowedTCPPorts = [ 25 ]; diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix index 5270b69..920daa9 100644 --- a/modules/private/mail/sympa.nix +++ b/modules/private/mail/sympa.nix @@ -34,20 +34,19 @@ in ]; }; - secrets.keys = [ - { - dest = "sympa/db_password"; + secrets.keys = { + "sympa/db_password" = { permissions = "0400"; group = "sympa"; user = "sympa"; text = sympaConfig.postgresql.password; - } - ] - ++ lib.mapAttrsToList (n: v: { - dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; + }; + } + // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" { + permissions = "0400"; group = "sympa"; user = "sympa"; text = v; }) sympaConfig.data_sources - ++ lib.mapAttrsToList (n: v: { - dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; + // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" { + permissions = "0400"; group = "sympa"; user = "sympa"; text = v; }) sympaConfig.scenari; users.users.sympa.extraGroups = [ "keys" ]; systemd.slices.mail-sympa = { diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix index cab9e7c..bdb5c93 100644 --- a/modules/private/monitoring/default.nix +++ b/modules/private/monitoring/default.nix @@ -199,18 +199,15 @@ in text = "MAILADDR ${config.myEnv.monitoring.email}"; }; - secrets.keys = [ - { - dest = "naemon/id_rsa"; + secrets.keys = { + "naemon/id_rsa" = { user = "naemon"; group = "naemon"; permissions = "0400"; text = config.myEnv.monitoring.ssh_secret_key; - } - ] ++ lib.optionals cfg.master ( - lib.mapAttrsToList (k: v: - { - dest = "${k}_access_key"; + }; + } // lib.optionalAttrs cfg.master ( + lib.mapAttrs' (k: v: lib.nameValuePair "${k}_access_key" { user = "naemon"; group = "naemon"; permissions = "0400"; diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index 73f4749..ab0290c 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix @@ -12,17 +12,14 @@ }; }; config = lib.mkIf config.myServices.status.enable { - secrets.keys = [ - { - dest = "naemon-status/environment"; - user = "naemon"; - group = "naemon"; - permission = "0400"; - text = '' - TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens} - ''; - } - ]; + secrets.keys."naemon-status/environment" = { + user = "naemon"; + group = "naemon"; + permissions = "0400"; + text = '' + TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens} + ''; + }; services.nginx = { enable = true; recommendedOptimisation = true; diff --git a/modules/private/monitoring/status_engine.nix b/modules/private/monitoring/status_engine.nix index 8192a9d..39a753a 100644 --- a/modules/private/monitoring/status_engine.nix +++ b/modules/private/monitoring/status_engine.nix @@ -19,8 +19,7 @@ in }; }; - secrets.keys = [{ - dest = "status_engine"; + secrets.keys."status_engine" = { permissions = "0400"; user = "naemon"; group = "naemon"; @@ -87,7 +86,7 @@ in disable_http_proxy: 1 ''; - }]; + }; services.redis = rec { enable = true; diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix index f2e87bb..7fa8fe9 100644 --- a/modules/private/mpd.nix +++ b/modules/private/mpd.nix @@ -5,22 +5,20 @@ services.duplyBackup.profiles.mpd = { rootDir = "/var/lib/mpd"; }; - secrets.keys = [ - { - dest = "mpd"; + secrets.keys = { + "mpd" = { permissions = "0400"; text = config.myEnv.mpd.password; - } - { - dest = "mpd-config"; + }; + "mpd-config" = { permissions = "0400"; user = "mpd"; group = "mpd"; text = '' password "${config.myEnv.mpd.password}@read,add,control,admin" ''; - } - ]; + }; + }; networking.firewall.allowedTCPPorts = [ 6600 ]; users.users.mpd.extraGroups = [ "wwwrun" "keys" ]; systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix index ca9b6fc..ee5dda5 100644 --- a/modules/private/ssh/default.nix +++ b/modules/private/ssh/default.nix @@ -51,13 +51,12 @@ in AuthorizedKeysCommandUser nobody ''; - secrets.keys = [{ - dest = "ssh-ldap"; + secrets.keys."ssh-ldap" = { user = "nobody"; group = "nogroup"; permissions = "0400"; text = config.myEnv.sshd.ldap.password; - }]; + }; system.activationScripts.sshd = { deps = [ "secrets" ]; text = '' diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 181f455..c01a666 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -7,22 +7,20 @@ }; # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; - secrets.keys = [ - { - dest = "rsync_backup/identity"; + secrets.keys = { + "rsync_backup/identity" = { user = "backup"; group = "backup"; permissions = "0400"; text = config.myEnv.rsync_backup.ssh_key.private; - } - { - dest = "rsync_backup/identity.pub"; + }; + "rsync_backup/identity.pub" = { user = "backup"; group = "backup"; permissions = "0444"; text = config.myEnv.rsync_backup.ssh_key.public; - } - ]; + }; + }; boot.kernelPackages = pkgs.linuxPackages_latest; myEnv = import ../../../nixops/secrets/environment.nix; diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 0830f18..2c339a5 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -126,9 +126,8 @@ services.netdata.config.web.mode = "none"; users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; - secrets.keys = [ - { - dest = "netdata-stream.conf"; + secrets.keys = { + "netdata-stream.conf" = { user = config.services.netdata.user; group = config.services.netdata.group; permissions = "0400"; @@ -138,15 +137,14 @@ destination = ${config.myEnv.monitoring.netdata_aggregator} api key = ${config.myEnv.monitoring.netdata_keys.eldiron} ''; - } - { - dest = "zrepl_backup/identity"; + }; + "zrepl_backup/identity" = { user = "root"; group = "root"; permissions = "0400"; text = config.myEnv.zrepl_backup.ssh_key.private; - } - ]; + }; + }; programs.ssh.knownHosts.dilion = { hostNames = ["dilion.immae.eu"]; publicKey = let diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index 91d30fd..dea5f45 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix @@ -45,9 +45,8 @@ networking.firewall.allowedTCPPorts = [ 19999 ]; environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; - secrets.keys = [ - { - dest = "netdata-stream.conf"; + secrets.keys = { + "netdata-stream.conf" = { user = config.services.netdata.user; group = config.services.netdata.group; permissions = "0400"; @@ -58,8 +57,8 @@ default memory = ram health enabled by default = auto '') config.myEnv.monitoring.netdata_keys); - } - ]; + }; + }; users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; # This value determines the NixOS release with which your system is # to be compatible, in order to avoid breaking some software such as diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 491e215..82db70f 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix @@ -254,14 +254,12 @@ in ''; }; - secrets.keys = [ - { - dest = "ldap/sync_password"; + secrets.keys = { + "ldap/sync_password" = { permissions = "0400"; text = serverSpecificConfig.ldap_sync_password; - } - { - dest = "ldap/ldaptree.ldif"; + }; + "ldap/ldaptree.ldif" = { permissions = "0400"; text = serverSpecificConfig.ldap_service_users + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' @@ -272,8 +270,8 @@ in sn: ${n} uid: ${n} '') normalUsers)); - } - ]; + }; + }; myServices.monitoring.enable = true; myServices.certificates.enable = true; diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 68ce274..f7b27e0 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix @@ -9,16 +9,14 @@ services.postgresql.ensureUsers = [ { name = "naemon"; } ]; - secrets.keys = [ - { - dest = "ldap/password"; + secrets.keys = { + "ldap/password" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; - } - { - dest = "webapps/tools-ldap"; + }; + "webapps/tools-ldap" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -42,8 +40,8 @@ $servers->setValue('login','attr','uid'); $servers->setValue('login','fallback_dn',true); ''; - } - ]; + }; + }; users.users.openldap.extraGroups = [ "keys" ]; services.openldap = { diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index b3f1b7b..ac2aa21 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -95,9 +95,8 @@ in { ''; }; - secrets.keys = [ - { - dest = "webapps/tools-taskwarrior-web"; + secrets.keys = { + "webapps/tools-taskwarrior-web" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -110,9 +109,8 @@ in { SetEnv TASKD_LDAP_BASE "${env.ldap.base}" SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}" ''; - } - ] ++ (lib.mapAttrsToList (name: userConfig: { - dest = "webapps/tools-taskwarrior/${name}-taskrc"; + }; + } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" { inherit user group; permissions = "0400"; text = let diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix index a9051af..d4b197d 100644 --- a/modules/private/vpn/default.nix +++ b/modules/private/vpn/default.nix @@ -8,22 +8,20 @@ in }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "tinc/key.priv"; + secrets.keys = { + "tinc/key.priv" = { user = "root"; group = "root"; permissions = "0400"; text = config.myEnv.vpn.eldiron.privateKey; - } - { - dest = "tinc/key.pub"; + }; + "tinc/key.pub" = { user = "root"; group = "root"; permissions = "0400"; text = config.myEnv.vpn.eldiron.publicKey; - } - ]; + }; + }; networking.firewall.allowedTCPPorts = [ 655 1194 ]; system.activationScripts.tinc = let configFiles = pkgs.runCommand "tinc-files" { diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index ffae6ec..c4b79f8 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix @@ -15,29 +15,26 @@ in { config = lib.mkIf cfg.enable { services.duplyBackup.profiles.chloe_integration.rootDir = app.varDir; - secrets.keys = [ - { - dest = "websites/chloe/integration"; - user = apacheUser; - group = apacheGroup; - permissions = "0400"; - text = '' - SetEnv SPIP_CONFIG_DIR "${./config}" - SetEnv SPIP_VAR_DIR "${app.varDir}" - SetEnv SPIP_SITE "chloe-${app.environment}" - SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" - SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" - SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" - SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" - SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" - SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" - SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" - SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" - SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" - SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" - ''; - } - ]; + secrets.keys."websites/chloe/integration" = { + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${./config}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "chloe-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" + SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" + SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" + SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" + ''; + }; systemd.services.phpfpm-chloe_integration.after = lib.mkAfter [ "mysql.service" ]; systemd.services.phpfpm-chloe_integration.wants = [ "mysql.service" ]; services.phpfpm.pools.chloe_integration = { diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 7f8f1de..92ae05b 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix @@ -16,29 +16,26 @@ in { config = lib.mkIf cfg.enable { services.duplyBackup.profiles.chloe_production.rootDir = app.varDir; services.duplyBackup.profiles.chloe_production.remotes = ["eriomem" "ovh"]; - secrets.keys = [ - { - dest = "websites/chloe/production"; - user = apacheUser; - group = apacheGroup; - permissions = "0400"; - text = '' - SetEnv SPIP_CONFIG_DIR "${./config}" - SetEnv SPIP_VAR_DIR "${app.varDir}" - SetEnv SPIP_SITE "chloe-${app.environment}" - SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" - SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" - SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" - SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" - SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" - SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" - SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" - SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" - SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" - SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" - ''; - } - ]; + secrets.keys."websites/chloe/production" = { + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${./config}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "chloe-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" + SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" + SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" + SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" + ''; + }; services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; systemd.services.phpfpm-chloe_production.after = lib.mkAfter [ "mysql.service" ]; diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index f5b1a16..1b3587a 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix @@ -47,31 +47,28 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/connexionswing/integration"; - user = config.services.httpd.Inte.user; - group = config.services.httpd.Inte.group; - permissions = "0400"; - text = '' - # This file is auto-generated during the composer install - parameters: - database_host: ${secrets.mysql.host} - database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.database} - database_user: ${secrets.mysql.user} - database_password: ${secrets.mysql.password} - database_server_version: ${pkgs.mariadb.mysqlVersion} - mailer_transport: sendmail - mailer_host: null - mailer_user: null - mailer_password: null - subscription_email: ${secrets.email} - allow_robots: true - secret: ${secrets.secret} - ''; - } - ]; + secrets.keys."websites/connexionswing/integration" = { + user = config.services.httpd.Inte.user; + group = config.services.httpd.Inte.group; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${secrets.mysql.host} + database_port: ${secrets.mysql.port} + database_name: ${secrets.mysql.database} + database_user: ${secrets.mysql.user} + database_password: ${secrets.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: sendmail + mailer_host: null + mailer_user: null + mailer_password: null + subscription_email: ${secrets.email} + allow_robots: true + secret: ${secrets.secret} + ''; + }; services.websites.env.integration.vhostConfs.connexionswing_integration = { certName = "integration"; diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index f6a059d..981e95e 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix @@ -48,35 +48,32 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/connexionswing/production"; - user = config.services.httpd.Prod.user; - group = config.services.httpd.Prod.group; - permissions = "0400"; - text = '' - # This file is auto-generated during the composer install - parameters: - database_host: ${secrets.mysql.host} - database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.database} - database_user: ${secrets.mysql.user} - database_password: ${secrets.mysql.password} - database_server_version: ${pkgs.mariadb.mysqlVersion} - mailer_transport: sendmail - mailer_host: null - mailer_user: null - mailer_password: null - subscription_email: ${secrets.email} - allow_robots: true - secret: ${secrets.secret} - services: - swiftmailer.mailer.default.transport: - class: Swift_SendmailTransport - arguments: ['/run/wrappers/bin/sendmail -bs'] - ''; - } - ]; + secrets.keys."websites/connexionswing/production" = { + user = config.services.httpd.Prod.user; + group = config.services.httpd.Prod.group; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${secrets.mysql.host} + database_port: ${secrets.mysql.port} + database_name: ${secrets.mysql.database} + database_user: ${secrets.mysql.user} + database_password: ${secrets.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: sendmail + mailer_host: null + mailer_user: null + mailer_password: null + subscription_email: ${secrets.email} + allow_robots: true + secret: ${secrets.secret} + services: + swiftmailer.mailer.default.transport: + class: Swift_SendmailTransport + arguments: ['/run/wrappers/bin/sendmail -bs'] + ''; + }; services.websites.env.production.vhostConfs.connexionswing_production = { certName = "connexionswing"; diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 8fb6a4d..e819324 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix @@ -109,8 +109,7 @@ in users.users.wwwrun.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; - secrets.keys = [{ - dest = "apache-ldap"; + secrets.keys."apache-ldap" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -126,7 +125,7 @@ in ''; - }]; + }; system.activationScripts = { httpd = '' diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index 14358d8..87e622a 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix @@ -46,18 +46,16 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/florian/app_passwords"; + secrets.keys = { + "websites/florian/app_passwords" = { user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; text = '' invite:${secrets.invite_passwords} ''; - } - { - dest = "websites/florian/app"; + }; + "websites/florian/app" = { user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -75,8 +73,8 @@ in { mailer_password: null secret: ${secrets.secret} ''; - } - ]; + }; + }; services.websites.env.integration.modules = adminer.apache.modules; services.websites.env.integration.vhostConfs.florian_app = { diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix index 8518283..61ed9cf 100644 --- a/modules/private/websites/immae/temp.nix +++ b/modules/private/websites/immae/temp.nix @@ -28,24 +28,21 @@ in { '' ]; }; - secrets.keys = [ - { - dest = "webapps/surfer"; - permissions = "0400"; - user = "wwwrun"; - group = "wwwrun"; - text = '' - CLOUDRON_LDAP_URL=ldaps://${env.ldap.host} - CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base} - TOKENSTORE_FILE=/var/lib/surfer/tokens.json - CLOUDRON_LDAP_BIND_DN=${env.ldap.dn} - CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password} - CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base} - CLOUDRON_LDAP_FILTER="${env.ldap.filter}" - LISTEN=/run/surfer/listen.sock - ''; - } - ]; + secrets.keys."webapps/surfer" = { + permissions = "0400"; + user = "wwwrun"; + group = "wwwrun"; + text = '' + CLOUDRON_LDAP_URL=ldaps://${env.ldap.host} + CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base} + TOKENSTORE_FILE=/var/lib/surfer/tokens.json + CLOUDRON_LDAP_BIND_DN=${env.ldap.dn} + CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password} + CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base} + CLOUDRON_LDAP_FILTER="${env.ldap.filter}" + LISTEN=/run/surfer/listen.sock + ''; + }; systemd.services.surfer = { description = "Surfer"; diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix index 6f8f985..899ee66 100644 --- a/modules/private/websites/isabelle/aten_integration.nix +++ b/modules/private/websites/isabelle/aten_integration.nix @@ -41,8 +41,7 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [{ - dest = "websites/isabelle/aten_integration"; + secrets.keys."websites/isabelle/aten_integration" = { user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -56,7 +55,7 @@ in { SetEnv APP_SECRET "${secrets.secret}" SetEnv DATABASE_URL "${psql_url}" ''; - }]; + }; services.websites.env.integration.vhostConfs.isabelle_aten_integration = { certName = "integration"; addToCerts = true; diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index 3671712..b8d12b9 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix @@ -42,8 +42,7 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [{ - dest = "websites/isabelle/aten_production"; + secrets.keys."websites/isabelle/aten_production" = { user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; permissions = "0400"; @@ -57,7 +56,7 @@ in { SetEnv APP_SECRET "${secrets.secret}" SetEnv DATABASE_URL "${psql_url}" ''; - }]; + }; services.websites.env.production.vhostConfs.isabelle_aten_production = { certName = "isabelle"; certMainHost = "aten.pro"; diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index 14296bf..decda36 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix @@ -18,29 +18,26 @@ in { config = lib.mkIf cfg.enable { services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir; services.duplyBackup.profiles.isabelle_iridologie.remotes = ["eriomem" "ovh"]; - secrets.keys = [ - { - dest = "websites/isabelle/iridologie"; - user = apacheUser; - group = apacheGroup; - permissions = "0400"; - text = '' - SetEnv SPIP_CONFIG_DIR "${./config}" - SetEnv SPIP_VAR_DIR "${app.varDir}" - SetEnv SPIP_SITE "iridologie-${app.environment}" - SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" - SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" - SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}" - SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}" - SetEnv SPIP_LDAP_SEARCH "${icfg.ldap.filter}" - SetEnv SPIP_MYSQL_HOST "${icfg.mysql.host}" - SetEnv SPIP_MYSQL_PORT "${icfg.mysql.port}" - SetEnv SPIP_MYSQL_DB "${icfg.mysql.database}" - SetEnv SPIP_MYSQL_USER "${icfg.mysql.user}" - SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}" - ''; - } - ]; + secrets.keys."websites/isabelle/iridologie" = { + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${./config}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "iridologie-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${icfg.ldap.filter}" + SetEnv SPIP_MYSQL_HOST "${icfg.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${icfg.mysql.port}" + SetEnv SPIP_MYSQL_DB "${icfg.mysql.database}" + SetEnv SPIP_MYSQL_USER "${icfg.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}" + ''; + }; services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ]; systemd.services.phpfpm-isabelle_iridologie.after = lib.mkAfter [ "mysql.service" ]; diff --git a/modules/private/websites/jerome/naturaloutil.nix b/modules/private/websites/jerome/naturaloutil.nix index 95d7e78..0974ce3 100644 --- a/modules/private/websites/jerome/naturaloutil.nix +++ b/modules/private/websites/jerome/naturaloutil.nix @@ -15,8 +15,7 @@ in { security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; - secrets.keys = [{ - dest = "websites/jerome/naturaloutil"; + secrets.keys."websites/jerome/naturaloutil" = { user = apacheUser; group = apacheGroup; permissions = "0400"; @@ -35,7 +34,7 @@ in { $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); ?> ''; - }]; + }; system.activationScripts.jerome_naturaloutil = { deps = [ "httpd" ]; text = '' diff --git a/modules/private/websites/ludivine/integration.nix b/modules/private/websites/ludivine/integration.nix index 4357b93..cfef385 100644 --- a/modules/private/websites/ludivine/integration.nix +++ b/modules/private/websites/ludivine/integration.nix @@ -50,44 +50,41 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/ludivine/integration"; - user = config.services.httpd.Inte.user; - group = config.services.httpd.Inte.group; - permissions = "0400"; - text = '' - # This file is auto-generated during the composer install - parameters: - database_host: ${secrets.mysql.host} - database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.database} - database_user: ${secrets.mysql.user} - database_password: ${secrets.mysql.password} - database_server_version: ${pkgs.mariadb.mysqlVersion} - mailer_transport: smtp - mailer_host: 127.0.0.1 - mailer_user: null - mailer_password: null - secret: ${secrets.secret} - ldap_host: ldap.immae.eu - ldap_port: 636 - ldap_version: 3 - ldap_ssl: true - ldap_tls: false - ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' - ldap_base_dn: 'dc=immae,dc=eu' - ldap_search_dn: '${secrets.ldap.dn}' - ldap_search_password: '${secrets.ldap.password}' - ldap_search_filter: '${secrets.ldap.filter}' - leapt_im: - binary_path: ${pkgs.imagemagick}/bin - assetic: - sass: ${pkgs.sass}/bin/sass - ruby: ${pkgs.ruby}/bin/ruby - ''; - } - ]; + secrets.keys."websites/ludivine/integration" = { + user = config.services.httpd.Inte.user; + group = config.services.httpd.Inte.group; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${secrets.mysql.host} + database_port: ${secrets.mysql.port} + database_name: ${secrets.mysql.database} + database_user: ${secrets.mysql.user} + database_password: ${secrets.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${secrets.secret} + ldap_host: ldap.immae.eu + ldap_port: 636 + ldap_version: 3 + ldap_ssl: true + ldap_tls: false + ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' + ldap_base_dn: 'dc=immae,dc=eu' + ldap_search_dn: '${secrets.ldap.dn}' + ldap_search_password: '${secrets.ldap.password}' + ldap_search_filter: '${secrets.ldap.filter}' + leapt_im: + binary_path: ${pkgs.imagemagick}/bin + assetic: + sass: ${pkgs.sass}/bin/sass + ruby: ${pkgs.ruby}/bin/ruby + ''; + }; services.websites.env.integration.vhostConfs.ludivine_integration = { certName = "integration"; diff --git a/modules/private/websites/ludivine/production.nix b/modules/private/websites/ludivine/production.nix index 3a9895d..73b63a2 100644 --- a/modules/private/websites/ludivine/production.nix +++ b/modules/private/websites/ludivine/production.nix @@ -53,44 +53,41 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/ludivine/production"; - user = config.services.httpd.Prod.user; - group = config.services.httpd.Prod.group; - permissions = "0400"; - text = '' - # This file is auto-generated during the composer install - parameters: - database_host: ${secrets.mysql.host} - database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.database} - database_user: ${secrets.mysql.user} - database_password: ${secrets.mysql.password} - database_server_version: ${pkgs.mariadb.mysqlVersion} - mailer_transport: smtp - mailer_host: 127.0.0.1 - mailer_user: null - mailer_password: null - secret: ${secrets.secret} - ldap_host: ldap.immae.eu - ldap_port: 636 - ldap_version: 3 - ldap_ssl: true - ldap_tls: false - ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' - ldap_base_dn: 'dc=immae,dc=eu' - ldap_search_dn: '${secrets.ldap.dn}' - ldap_search_password: '${secrets.ldap.password}' - ldap_search_filter: '${secrets.ldap.filter}' - leapt_im: - binary_path: ${pkgs.imagemagick}/bin - assetic: - sass: ${pkgs.sass}/bin/sass - ruby: ${pkgs.ruby}/bin/ruby - ''; - } - ]; + secrets.keys."websites/ludivine/production" = { + user = config.services.httpd.Prod.user; + group = config.services.httpd.Prod.group; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${secrets.mysql.host} + database_port: ${secrets.mysql.port} + database_name: ${secrets.mysql.database} + database_user: ${secrets.mysql.user} + database_password: ${secrets.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${secrets.secret} + ldap_host: ldap.immae.eu + ldap_port: 636 + ldap_version: 3 + ldap_ssl: true + ldap_tls: false + ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' + ldap_base_dn: 'dc=immae,dc=eu' + ldap_search_dn: '${secrets.ldap.dn}' + ldap_search_password: '${secrets.ldap.password}' + ldap_search_filter: '${secrets.ldap.filter}' + leapt_im: + binary_path: ${pkgs.imagemagick}/bin + assetic: + sass: ${pkgs.sass}/bin/sass + ruby: ${pkgs.ruby}/bin/ruby + ''; + }; services.websites.env.production.vhostConfs.ludivine_production = { certName = "ludivine"; diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index dc98900..f501eba 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix @@ -52,32 +52,29 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/piedsjaloux/integration"; - user = config.services.httpd.Inte.user; - group = config.services.httpd.Inte.group; - permissions = "0400"; - text = '' - # This file is auto-generated during the composer install - parameters: - database_host: ${secrets.mysql.host} - database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.database} - database_user: ${secrets.mysql.user} - database_password: ${secrets.mysql.password} - database_server_version: ${pkgs.mariadb.mysqlVersion} - mailer_transport: smtp - mailer_host: 127.0.0.1 - mailer_user: null - mailer_password: null - secret: ${secrets.secret} - pdflatex: "${texlive}/bin/pdflatex" - leapt_im: - binary_path: ${pkgs.imagemagick}/bin - ''; - } - ]; + secrets.keys."websites/piedsjaloux/integration" = { + user = config.services.httpd.Inte.user; + group = config.services.httpd.Inte.group; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${secrets.mysql.host} + database_port: ${secrets.mysql.port} + database_name: ${secrets.mysql.database} + database_user: ${secrets.mysql.user} + database_password: ${secrets.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${secrets.secret} + pdflatex: "${texlive}/bin/pdflatex" + leapt_im: + binary_path: ${pkgs.imagemagick}/bin + ''; + }; services.websites.env.integration.vhostConfs.piedsjaloux_integration = { certName = "integration"; diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index e12b046..fed5a0f 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix @@ -55,32 +55,29 @@ in { phpPackage = pkgs.php72; }; - secrets.keys = [ - { - dest = "websites/piedsjaloux/production"; - user = config.services.httpd.Prod.user; - group = config.services.httpd.Prod.group; - permissions = "0400"; - text = '' - # This file is auto-generated during the composer install - parameters: - database_host: ${secrets.mysql.host} - database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.database} - database_user: ${secrets.mysql.user} - database_password: ${secrets.mysql.password} - database_server_version: ${pkgs.mariadb.mysqlVersion} - mailer_transport: smtp - mailer_host: 127.0.0.1 - mailer_user: null - mailer_password: null - secret: ${secrets.secret} - pdflatex: "${texlive}/bin/pdflatex" - leapt_im: - binary_path: ${pkgs.imagemagick}/bin - ''; - } - ]; + secrets.keys."websites/piedsjaloux/production" = { + user = config.services.httpd.Prod.user; + group = config.services.httpd.Prod.group; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${secrets.mysql.host} + database_port: ${secrets.mysql.port} + database_name: ${secrets.mysql.database} + database_user: ${secrets.mysql.user} + database_password: ${secrets.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${secrets.secret} + pdflatex: "${texlive}/bin/pdflatex" + leapt_im: + binary_path: ${pkgs.imagemagick}/bin + ''; + }; services.websites.env.production.vhostConfs.piedsjaloux_production = { certName = "piedsjaloux"; diff --git a/modules/private/websites/richie/production.nix b/modules/private/websites/richie/production.nix index 2d85175..3efa9f0 100644 --- a/modules/private/websites/richie/production.nix +++ b/modules/private/websites/richie/production.nix @@ -29,8 +29,7 @@ in services.duplyBackup.profiles.richie_production.remotes = ["eriomem" "ovh"]; services.webstats.sites = [ { name = "europe-richie.org"; } ]; - secrets.keys = [{ - dest = "websites/richie/production"; + secrets.keys."websites/richie/production" = { user = apacheUser; group = apacheGroup; permissions = "0400"; @@ -48,7 +47,7 @@ in $smtp_mailer->Auth('${smtp_mailer.user}', '${smtp_mailer.password}'); ?> ''; - }]; + }; services.websites.webappDirs.richie_production = richieSrc; system.activationScripts.richie_production = { deps = [ "httpd" ]; diff --git a/modules/private/websites/syden/peertube.nix b/modules/private/websites/syden/peertube.nix index aa465d7..4036eac 100644 --- a/modules/private/websites/syden/peertube.nix +++ b/modules/private/websites/syden/peertube.nix @@ -23,8 +23,7 @@ in }; users.groups.peertube.gid = config.ids.gids.peertube; - secrets.keys = [{ - dest = "websites/syden/peertube"; + secrets.keys."websites/syden/peertube" = { user = "peertube"; group = "peertube"; permissions = "0640"; @@ -67,7 +66,7 @@ in plugins: '${dataDir}/storage/plugins/' client_overrides: '${dataDir}/storage/client-overrides/' ''; - }]; + }; services.filesWatcher.syden_peertube = { restart = true; diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index 471858a..fc0aae6 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix @@ -73,8 +73,7 @@ in { ]; }; - secrets.keys = [{ - dest = "webapps/tools-nextcloud"; + secrets.keys."webapps/tools-nextcloud" = { user = "wwwrun"; group = "wwwrun"; permissions = "0600"; @@ -133,7 +132,7 @@ in { 'has_rebuilt_cache' => true, ); ''; - }]; + }; users.users.root.packages = let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} diff --git a/modules/private/websites/tools/commento/default.nix b/modules/private/websites/tools/commento/default.nix index d0e7d24..c36255b 100644 --- a/modules/private/websites/tools/commento/default.nix +++ b/modules/private/websites/tools/commento/default.nix @@ -12,10 +12,9 @@ in enable = lib.mkEnableOption "Enable commento website"; }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "commento/env"; - permission = "0400"; + secrets.keys = { + "commento/env" = { + permissions = "0400"; text = '' COMMENTO_ORIGIN=https://commento.immae.eu/ COMMENTO_PORT=${port} @@ -29,8 +28,8 @@ in COMMENTO_SMTP_PASSWORD=${env.smtp.password} COMMENTO_SMTP_FROM_ADDRESS=${env.smtp.email} ''; - } - ]; + }; + }; services.websites.env.tools.vhostConfs.commento = { certName = "eldiron"; diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index eeac1b5..9e4056a 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical ''; }; - keys = [{ - dest = "webapps/dav-davical"; + keys."webapps/dav-davical" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -64,7 +63,7 @@ rec { $c->do_not_sync_from_ldap = array('admin' => true); include('drivers_ldap.php'); ''; - }]; + }; webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; }; webRoot = "${webapp}/htdocs"; apache = rec { diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 663fe88..9119ead 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix @@ -16,16 +16,14 @@ in { }; users.users.diaspora.extraGroups = [ "keys" ]; - secrets.keys = [ - { - dest = "webapps/diaspora"; + secrets.keys = { + "webapps/diaspora" = { isDir = true; user = "diaspora"; group = "diaspora"; permissions = "0500"; - } - { - dest = "webapps/diaspora/diaspora.yml"; + }; + "webapps/diaspora/diaspora.yml" = { user = "diaspora"; group = "diaspora"; permissions = "0400"; @@ -102,9 +100,8 @@ in { development: environment: ''; - } - { - dest = "webapps/diaspora/database.yml"; + }; + "webapps/diaspora/database.yml" = { user = "diaspora"; group = "diaspora"; permissions = "0400"; @@ -136,17 +133,16 @@ in { <<: *combined database: diaspora_integration2 ''; - } - { - dest = "webapps/diaspora/secret_token.rb"; + }; + "webapps/diaspora/secret_token.rb" = { user = "diaspora"; group = "diaspora"; permissions = "0400"; text = '' Diaspora::Application.config.secret_key_base = '${env.secret_token}' ''; - } - ]; + }; + }; services.diaspora = { enable = true; diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index 64e411d..d5c65a9 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix @@ -15,19 +15,16 @@ in { services.duplyBackup.profiles.etherpad-lite = { rootDir = "/var/lib/private/etherpad-lite"; }; - secrets.keys = [ - { - dest = "webapps/tools-etherpad-apikey"; + secrets.keys = { + "webapps/tools-etherpad-apikey" = { permissions = "0400"; text = env.api_key; - } - { - dest = "webapps/tools-etherpad-sessionkey"; + }; + "webapps/tools-etherpad-sessionkey" = { permissions = "0400"; text = env.session_key; - } - { - dest = "webapps/tools-etherpad"; + }; + "webapps/tools-etherpad" = { permissions = "0400"; text = '' { @@ -152,8 +149,8 @@ in { "logconfig" : { "appenders": [ { "type": "console" } ] } } ''; - } - ]; + }; + }; services.etherpad-lite = { enable = true; package = pkgs.webapps.etherpad-lite.withModules (p: [ diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index e6a8da7..033a651 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt ''; }; - keys = [{ - dest = "webapps/tools-mantisbt"; + keys."webapps/tools-mantisbt" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -45,7 +44,7 @@ rec { $g_ldap_realname_field = 'cn'; $g_ldap_organization = '${env.ldap.filter}'; ''; - }]; + }; webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 7d8e733..92de28e 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix @@ -9,8 +9,7 @@ rec { install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions ''; }; - keys = [{ - dest = "webapps/tools-roundcube"; + keys."webapps/tools-roundcube" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -74,7 +73,7 @@ rec { $config['temp_dir'] = '${varDir}/cache'; $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; ''; - }]; + }; webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index cea8710..87e8d72 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix @@ -13,8 +13,7 @@ in { services.duplyBackup.profiles.mastodon = { rootDir = mcfg.dataDir; }; - secrets.keys = [{ - dest = "webapps/tools-mastodon"; + secrets.keys."webapps/tools-mastodon" = { user = "mastodon"; group = "mastodon"; permissions = "0400"; @@ -59,7 +58,7 @@ in { LDAP_UID="uid" LDAP_SEARCH_FILTER="${env.ldap.filter}" ''; - }]; + }; services.mastodon = { enable = true; configFile = config.secrets.fullPaths."webapps/tools-mastodon"; diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index 6d6a5a4..f6cba4a 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix @@ -12,8 +12,7 @@ in { services.duplyBackup.profiles.mgoblin = { rootDir = mcfg.dataDir; }; - secrets.keys = [{ - dest = "webapps/tools-mediagoblin"; + secrets.keys."webapps/tools-mediagoblin" = { user = "mediagoblin"; group = "mediagoblin"; permissions = "0400"; @@ -77,7 +76,7 @@ in { [[mediagoblin.media_types.image]] [[mediagoblin.media_types.video]] ''; - }]; + }; users.users.mediagoblin.extraGroups = [ "keys" ]; diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index 7dcc998..daeeb1f 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix @@ -18,8 +18,7 @@ in { }; users.users.peertube.extraGroups = [ "keys" ]; - secrets.keys = [{ - dest = "webapps/tools-peertube"; + secrets.keys."webapps/tools-peertube" = { user = "peertube"; group = "peertube"; permissions = "0640"; @@ -62,7 +61,7 @@ in { plugins: '${pcfg.dataDir}/storage/plugins/' client_overrides: '${pcfg.dataDir}/storage/client-overrides/' ''; - }]; + }; services.websites.env.tools.modules = [ "headers" "proxy" "proxy_http" "proxy_wstunnel" diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix index 5afd639..5715ff0 100644 --- a/modules/private/websites/tools/performance/default.nix +++ b/modules/private/websites/tools/performance/default.nix @@ -11,9 +11,8 @@ in }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "status_engine_ui"; + secrets.keys = { + status_engine_ui = { permissions = "0400"; user = "wwwrun"; group = "wwwrun"; @@ -44,8 +43,8 @@ in display_perfdata: 1 perfdata_backend: mysql ''; - } - ]; + }; + }; services.websites.env.tools.modules = [ "proxy_fcgi" ]; diff --git a/modules/private/websites/tools/stats/default.nix b/modules/private/websites/tools/stats/default.nix index 5f184bc..71e31a3 100644 --- a/modules/private/websites/tools/stats/default.nix +++ b/modules/private/websites/tools/stats/default.nix @@ -6,9 +6,8 @@ in { options.myServices.websites.tools.stats.enable = lib.mkEnableOption "Enable stats site"; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "umami/env"; + secrets.keys = { + "uami/env" = { permission = "0400"; text = '' PORT=${toString myCfg.listenPort} @@ -16,8 +15,8 @@ in DATABASE_URL=postgresql://${myCfg.postgresql.user}:${myCfg.postgresql.password}@localhost:${myCfg.postgresql.port}/${myCfg.postgresql.database}?sslmode=disable&host=${myCfg.postgresql.socket} HASH_SALT=${myCfg.hashSalt} ''; - } - ]; + }; + }; services.websites.env.tools.vhostConfs.stats = { certName = "eldiron"; diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix index 4660251..9b3f0cf 100644 --- a/modules/private/websites/tools/tools/csp_reports.nix +++ b/modules/private/websites/tools/tools/csp_reports.nix @@ -1,12 +1,11 @@ { env }: rec { - keys = [{ - dest = "webapps/tools-csp-reports.conf"; + keys."webapps/tools-csp-reports.conf" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; text = with env.postgresql; '' env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}" ''; - }]; + }; } diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index ada6253..1f499fb 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -83,14 +83,14 @@ in { config = lib.mkIf cfg.enable { secrets.keys = kanboard.keys - ++ ldap.keys - ++ shaarli.keys - ++ ttrss.keys - ++ wallabag.keys - ++ yourls.keys - ++ dmarc-reports.keys - ++ csp-reports.keys - ++ webhooks.keys; + // ldap.keys + // shaarli.keys + // ttrss.keys + // wallabag.keys + // yourls.keys + // dmarc-reports.keys + // csp-reports.keys + // webhooks.keys; services.duplyBackup.profiles = { dokuwiki = dokuwiki.backups; diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix index 5fdf0b6..89da246 100644 --- a/modules/private/websites/tools/tools/dmarc_reports.nix +++ b/modules/private/websites/tools/tools/dmarc_reports.nix @@ -1,7 +1,6 @@ { env, config }: rec { - keys = [{ - dest = "webapps/tools-dmarc-reports.php"; + keys."webapps/tools-dmarc-reports.php" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -15,7 +14,7 @@ rec { $anonymous_key = "${env.anonymous_key}"; ?> ''; - }]; + }; webRoot = ./dmarc_reports; apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 1a70499..b2e7b65 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -13,8 +13,7 @@ rec { install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config ''; }; - keys = [{ - dest = "webapps/tools-kanboard"; + keys."webapps/tools-kanboard" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -41,7 +40,7 @@ rec { define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}'); ?> ''; - }]; + }; webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; }; apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index cb90edc..14920f4 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin ''; }; - keys = [{ - dest = "webapps/tools-ldap"; + keys."webapps/tools-ldap" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -31,7 +30,7 @@ rec { $servers->setValue('login','attr','uid'); $servers->setValue('login','fallback_dn',true); ''; - }]; + }; webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 80c6a89..b7126cc 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -38,8 +38,7 @@ in rec { ''; }; - keys = [{ - dest = "webapps/tools-shaarli"; + keys."webapps/tools-shaarli" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -50,7 +49,7 @@ in rec { SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" SetEnv SHAARLI_LDAP_FILTER "${env.ldap.filter}" ''; - }]; + }; phpFpm = rec { serviceDeps = [ "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index eb1d415..f6abae9 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -19,8 +19,7 @@ rec { install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions ''; }; - keys = [{ - dest = "webapps/tools-ttrss"; + keys."webapps/tools-ttrss" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -87,7 +86,7 @@ rec { define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); define('LDAP_AUTH_DEBUG', FALSE); ''; - }]; + }; webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [ p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua (p.af_feedmod.override { patched = true; }) diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 1a604c7..b6ad151 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -5,8 +5,7 @@ rec { remotes = [ "eriomem" "ovh" ]; }; varDir = "/var/lib/wallabag"; - keys = [{ - dest = "webapps/tools-wallabag"; + keys."webapps/tools-wallabag" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -68,7 +67,7 @@ rec { class: Swift_SendmailTransport arguments: ['/run/wrappers/bin/sendmail -bs'] ''; - }]; + }; webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; }; activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix index 8ffb81b..785e22b 100644 --- a/modules/private/websites/tools/tools/webhooks.nix +++ b/modules/private/websites/tools/tools/webhooks.nix @@ -1,16 +1,17 @@ { lib, env }: { - keys = lib.attrsets.mapAttrsToList (k: v: { - dest = "webapps/webhooks/${k}.php"; + keys = lib.attrsets.mapAttrs' (k: v: + lib.nameValuePair "webapps/webhooks/${k}.php" { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; text = v; - }) env ++ [{ - dest = "webapps/webhooks"; - isDir = true; - user = "wwwrun"; - group = "wwwrun"; - permissions = "0500"; - }]; + }) env // { + "webapps/webhooks" = { + isDir = true; + user = "wwwrun"; + group = "wwwrun"; + permissions = "0500"; + }; + }; } diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 0f977f2..01ef548 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls ''; }; - keys = [{ - dest = "webapps/tools-yourls"; + keys."webapps/tools-yourls" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -39,7 +38,7 @@ rec { define( 'LDAPAUTH_USERCACHE_TYPE', 0); ''; - }]; + }; webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); apache = rec { user = "wwwrun"; diff --git a/modules/zrepl.nix b/modules/zrepl.nix index cb74082..5bcc17b 100644 --- a/modules/zrepl.nix +++ b/modules/zrepl.nix @@ -16,15 +16,14 @@ in }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "zrepl/zrepl.yml"; + secrets.keys = { + "zrepl/zrepl.yml" = { permissions = "0400"; text = cfg.config; user = config.systemd.services.zrepl.serviceConfig.User or "root"; group = config.systemd.services.zrepl.serviceConfig.Group or "root"; - } - ]; + }; + }; services.filesWatcher.zrepl = { restart = true; paths = [ config.secrets.fullPaths."zrepl/zrepl.yml" ]; -- 2.41.0