From 742697c95318d3625298437995e948ee00a00ba5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Thu, 25 Apr 2019 02:18:59 +0200
Subject: [PATCH] Move ssh ftp and mpd to new secrets

---
 nixops/modules/ftp/default.nix                  |  7 ++++---
 nixops/modules/mpd/default.nix                  | 16 +++++++++-------
 nixops/modules/ssh/default.nix                  | 17 ++++++++---------
 nixops/modules/websites/tools/tools/default.nix |  2 +-
 4 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix
index 0409f23..ff067f8 100644
--- a/nixops/modules/ftp/default.nix
+++ b/nixops/modules/ftp/default.nix
@@ -47,7 +47,8 @@
       install -m 0755 -o ftp -g ftp -d /var/lib/ftp
       '';
 
-    deployment.keys.pure-ftpd-ldap = {
+    mySecrets.keys = [{
+      dest = "pure-ftpd-ldap";
       permissions = "0400";
       user = "ftp";
       group = "ftp";
@@ -70,7 +71,7 @@
         # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
         LDAPHomeDir         immaeFtpDirectory
         '';
-    };
+    }];
 
     systemd.services.pure-ftpd = let
       configFile = pkgs.writeText "pure-ftpd.conf" ''
@@ -88,7 +89,7 @@
         SyslogFacility               ftp
         DontResolve                  yes
         MaxIdleTime                  15
-        LDAPConfigFile               /run/keys/pure-ftpd-ldap
+        LDAPConfigFile               /var/secrets/pure-ftpd-ldap
         LimitRecursion               10000 8
         AnonymousCanCreateDirs       no
         MaxLoad                      4
diff --git a/nixops/modules/mpd/default.nix b/nixops/modules/mpd/default.nix
index 2cf37ad..0904732 100644
--- a/nixops/modules/mpd/default.nix
+++ b/nixops/modules/mpd/default.nix
@@ -4,20 +4,22 @@
     nixpkgs.overlays = [ (self: super: rec {
       mpd = (self.callPackage ./mpd.nix {}).mpd;
     }) ];
-    deployment.keys = {
-      mpd = {
+    mySecrets.keys = [
+      {
+        dest = "mpd";
         permissions = "0400";
         text = myconfig.env.mpd.password;
-      };
-      mpd-config = {
+      }
+      {
+        dest = "mpd-config";
         permissions = "0400";
         user = "mpd";
         group = "mpd";
         text = ''
           password "${myconfig.env.mpd.password}@read,add,control,admin"
         '';
-      };
-    };
+      }
+    ];
     networking.firewall.allowedTCPPorts = [ 6600 ];
     users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
     system.activationScripts.mpd = ''
@@ -28,7 +30,7 @@
       network.listenAddress = "any";
       musicDirectory = myconfig.env.mpd.folder;
       extraConfig = ''
-        include "/run/keys/mpd-config"
+        include "/var/secrets/mpd-config"
         audio_output {
           type            "null"
           name            "No Output"
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index 924f86e..ece4b9f 100644
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,16 +8,15 @@
       AuthorizedKeysCommandUser nobody
       '';
 
-    deployment.keys = {
-      ssh-ldap = {
-        user = "nobody";
-        group = "nobody";
-        permissions = "0400";
-        text = myconfig.env.sshd.ldap.password;
-      };
-    };
+    mySecrets.keys = [{
+      dest = "ssh-ldap";
+      user = "nobody";
+      group = "nobody";
+      permissions = "0400";
+      text = myconfig.env.sshd.ldap.password;
+    }];
     system.activationScripts.sshd = ''
-      install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password
+      install -Dm400 -o nobody -g nobody -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
       '';
     # ssh is strict about parent directory having correct rights, don't
     # move it in the nix store.
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 1aa70b8..463e059 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -76,7 +76,7 @@ in {
       description = "Standalone MPD Web GUI written in C";
       wantedBy = [ "multi-user.target" ];
       script = ''
-        export MPD_PASSWORD=$(cat /run/keys/mpd)
+        export MPD_PASSWORD=$(cat /var/secrets/mpd)
         ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
         '';
     };
-- 
2.41.0