From ab8f306d7c2c49b8116e1af7b355ed2384617ed9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 12 Dec 2019 00:24:23 +0100 Subject: [PATCH] Add specification for the private config file as a module. --- modules/duply_backup/default.nix | 4 +- modules/private/buildbot/default.nix | 24 +- modules/private/databases/default.nix | 40 +- .../databases/openldap_replication.nix | 2 +- modules/private/databases/redis.nix | 8 +- .../private/databases/redis_replication.nix | 6 +- modules/private/default.nix | 1 + modules/private/dns.nix | 22 +- modules/private/environment.nix | 1148 +++++++++++++++++ modules/private/ftp.nix | 12 +- modules/private/gitolite/default.nix | 4 +- modules/private/mail/default.nix | 4 +- modules/private/mail/dovecot.nix | 22 +- modules/private/mail/milters.nix | 10 +- modules/private/mail/postfix.nix | 48 +- modules/private/mail/rspamd.nix | 14 +- modules/private/monitoring/default.nix | 12 +- modules/private/mpd.nix | 8 +- modules/private/pub/default.nix | 4 +- modules/private/ssh/default.nix | 4 +- modules/private/system.nix | 6 +- modules/private/system/backup-2.nix | 37 +- modules/private/system/eldiron.nix | 16 +- modules/private/tasks/default.nix | 6 +- modules/private/websites/aten/integration.nix | 13 +- modules/private/websites/aten/production.nix | 13 +- .../websites/capitaines/production.nix | 4 +- modules/private/websites/chloe/builder.nix | 4 +- .../private/websites/chloe/integration.nix | 4 +- modules/private/websites/chloe/production.nix | 4 +- .../websites/connexionswing/integration.nix | 6 +- .../websites/connexionswing/production.nix | 6 +- modules/private/websites/default.nix | 10 +- .../websites/denisejerome/production.nix | 4 +- .../private/websites/emilia/production.nix | 4 +- modules/private/websites/florian/app.nix | 6 +- .../private/websites/florian/integration.nix | 4 +- .../private/websites/florian/production.nix | 4 +- modules/private/websites/immae/production.nix | 4 +- modules/private/websites/immae/release.nix | 4 +- modules/private/websites/immae/temp.nix | 4 +- .../websites/ludivinecassal/integration.nix | 8 +- .../websites/ludivinecassal/production.nix | 8 +- .../private/websites/nassime/production.nix | 4 +- .../websites/naturaloutil/production.nix | 6 +- .../private/websites/papa/surveillance.nix | 2 +- .../websites/piedsjaloux/integration.nix | 6 +- .../websites/piedsjaloux/production.nix | 6 +- .../websites/teliotortay/production.nix | 4 +- .../private/websites/tools/cloud/default.nix | 6 +- .../private/websites/tools/dav/davical.nix | 12 +- .../private/websites/tools/dav/default.nix | 4 +- .../websites/tools/diaspora/default.nix | 14 +- .../private/websites/tools/ether/default.nix | 12 +- .../private/websites/tools/git/default.nix | 4 +- .../private/websites/tools/git/mantisbt.nix | 8 +- .../private/websites/tools/mail/default.nix | 4 +- .../private/websites/tools/mail/mta-sts.nix | 4 +- .../websites/tools/mail/roundcubemail.nix | 7 +- .../websites/tools/mastodon/default.nix | 12 +- .../websites/tools/mgoblin/default.nix | 25 +- .../websites/tools/peertube/default.nix | 16 +- .../private/websites/tools/tools/default.nix | 18 +- .../private/websites/tools/tools/kanboard.nix | 4 +- .../private/websites/tools/tools/shaarli.nix | 2 +- .../private/websites/tools/tools/ttrss.nix | 8 +- .../private/websites/tools/tools/wallabag.nix | 10 +- modules/private/websites/tools/tools/ympd.nix | 2 +- .../private/websites/tools/tools/yourls.nix | 6 +- modules/rsync_backup/default.nix | 2 +- 70 files changed, 1474 insertions(+), 310 deletions(-) create mode 100644 modules/private/environment.nix diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix index 32fa941..8931378 100644 --- a/modules/duply_backup/default.nix +++ b/modules/duply_backup/default.nix @@ -1,7 +1,7 @@ -{ lib, pkgs, myconfig, config, ... }: +{ lib, pkgs, config, ... }: let - cfg = myconfig.env.backup; + cfg = config.myEnv.backup; varDir = "/var/lib/duply"; duplyProfile = profile: prefix: '' GPG_PW="${cfg.password}" diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 273ad70..d42f659 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let varDir = "/var/lib/buildbot"; buildbot_common = pkgs.python3Packages.buildPythonPackage rec { @@ -27,8 +27,8 @@ in services.duplyBackup.profiles.buildbot = { rootDir = varDir; }; - ids.uids.buildbot = myconfig.env.buildbot.user.uid; - ids.gids.buildbot = myconfig.env.buildbot.user.gid; + ids.uids.buildbot = config.myEnv.buildbot.user.uid; + ids.gids.buildbot = config.myEnv.buildbot.user.gid; users.groups.buildbot.gid = config.ids.gids.buildbot; users.users.buildbot = { @@ -42,7 +42,7 @@ in services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include") - myconfig.env.buildbot.projects; + config.myEnv.buildbot.projects; services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/" @@ -64,7 +64,7 @@ in Include /var/secrets/buildbot/${project.name}/webhook-httpd-include - '') myconfig.env.buildbot.projects; + '') config.myEnv.buildbot.projects; system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { deps = [ "users" "wrappers" ]; @@ -73,7 +73,7 @@ in ${project.activationScript} ''; - }) myconfig.env.buildbot.projects; + }) config.myEnv.buildbot.projects; secrets.keys = ( lib.lists.flatten ( @@ -92,27 +92,27 @@ in permissions = "0600"; user = "wwwrun"; group = "wwwrun"; - text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) '' + text = lib.optionalString (project.webhookTokens != null) '' Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" ''; dest = "buildbot/${project.name}/webhook-httpd-include"; } ] - ) myconfig.env.buildbot.projects + ) config.myEnv.buildbot.projects ) ) ++ [ { permissions = "0600"; user = "buildbot"; group = "buildbot"; - text = myconfig.env.buildbot.ldap.password; + text = config.myEnv.buildbot.ldap.password; dest = "buildbot/ldap"; } { permissions = "0600"; user = "buildbot"; group = "buildbot"; - text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key"; + text = builtins.readFile "${config.myEnv.privateFiles}/buildbot_ssh_key"; dest = "buildbot/ssh_key"; } ]; @@ -123,7 +123,7 @@ in "/var/secrets/buildbot/ldap" "/var/secrets/buildbot/ssh_key" ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; - }) myconfig.env.buildbot.projects; + }) config.myEnv.buildbot.projects; systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { description = "Buildbot Continuous Integration Server ${project.name}."; @@ -214,6 +214,6 @@ in WorkingDirectory = "${varDir}/${project.name}"; ExecStart = "${buildbot}/bin/buildbot start"; }; - }) myconfig.env.buildbot.projects; + }) config.myEnv.buildbot.projects; }; } diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix index 7371410..8c5eb9a 100644 --- a/modules/private/databases/default.nix +++ b/modules/private/databases/default.nix @@ -1,4 +1,4 @@ -{ lib, config, myconfig, nodes, ... }: +{ lib, config, nodes, ... }: let cfg = config.myServices.databases; in @@ -18,49 +18,49 @@ in mariadb = { enable = true; ldapConfig = { - inherit (myconfig.env.ldap) host base; - inherit (myconfig.env.databases.mysql.pam) dn filter password; + inherit (config.myEnv.ldap) host base; + inherit (config.myEnv.databases.mysql.pam) dn filter password; }; replicationLdapConfig = { - inherit (myconfig.env.ldap) host base; - inherit (myconfig.env.ldap.eldiron) dn password; + inherit (config.myEnv.ldap) host base; + inherit (config.myEnv.servers.eldiron.ldap) dn password; }; - credentials.root = myconfig.env.databases.mysql.systemUsers.root; + credentials.root = config.myEnv.databases.mysql.systemUsers.root; }; openldap = { - accessFile = "${myconfig.privateFiles}/ldap.conf"; - baseDn = myconfig.env.ldap.base; - rootDn = myconfig.env.ldap.root_dn; - rootPw = myconfig.env.ldap.root_pw; + accessFile = "${config.myEnv.privateFiles}/ldap.conf"; + baseDn = config.myEnv.ldap.base; + rootDn = config.myEnv.ldap.root_dn; + rootPw = config.myEnv.ldap.root_pw; enable = true; }; postgresql = { ldapConfig = { - inherit (myconfig.env.ldap) host base; - inherit (myconfig.env.databases.postgresql.pam) dn filter password; + inherit (config.myEnv.ldap) host base; + inherit (config.myEnv.databases.postgresql.pam) dn filter password; }; replicationLdapConfig = { - inherit (myconfig.env.ldap) host base; - inherit (myconfig.env.ldap.eldiron) dn password; + inherit (config.myEnv.ldap) host base; + inherit (config.myEnv.servers.eldiron.ldap) dn password; }; authorizedHosts = { immaeEu = [{ ip4 = [ - myconfig.env.servers.immaeEu.ips.main.ip4 - myconfig.env.servers.immaeEu.ips.alt.ip4 + config.myEnv.servers.immaeEu.ips.main.ip4 + config.myEnv.servers.immaeEu.ips.alt.ip4 ]; }]; }; replicationHosts = { backup-1 = { - ip4 = [myconfig.env.servers.backup-1.ips.main.ip4]; - ip6 = myconfig.env.servers.backup-1.ips.main.ip6; + ip4 = [config.myEnv.servers.backup-1.ips.main.ip4]; + ip6 = config.myEnv.servers.backup-1.ips.main.ip6; }; backup-2 = { - ip4 = [myconfig.env.servers.backup-2.ips.main.ip4]; - ip6 = myconfig.env.servers.backup-2.ips.main.ip6; + ip4 = [config.myEnv.servers.backup-2.ips.main.ip4]; + ip6 = config.myEnv.servers.backup-2.ips.main.ip6; }; }; enable = true; diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index c0c16e6..7833e31 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix @@ -1,4 +1,4 @@ -{ pkgs, config, myconfig, lib, ... }: +{ pkgs, config, lib, ... }: let cfg = config.myServices.databasesReplication.openldap; eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 693f402..4b26283 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, myconfig, ... }: +{ lib, config, pkgs, ... }: let cfg = config.myServices.databases.redis; in { @@ -96,7 +96,7 @@ in { WorkerThreads 1 Authority { - Auth "${myconfig.env.databases.redis.predixy.read}" { + Auth "${config.myEnv.databases.redis.predixy.read}" { Mode read } } @@ -105,7 +105,7 @@ in { Databases 16 RefreshMethod fixed Group shard001 { - + ${myconfig.env.databases.redis.socket} + + ${config.myEnv.databases.redis.socket} } } ''; @@ -115,7 +115,7 @@ in { user = "spiped"; group = "spiped"; permissions = "0400"; - text = myconfig.env.databases.redis.spiped_key; + text = config.myEnv.databases.redis.spiped_key; } ]; diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix index cc626f5..6ec52c9 100644 --- a/modules/private/databases/redis_replication.nix +++ b/modules/private/databases/redis_replication.nix @@ -1,4 +1,4 @@ -{ pkgs, config, myconfig, lib, ... }: +{ pkgs, config, lib, ... }: let cfg = config.myServices.databasesReplication.redis; in @@ -63,7 +63,7 @@ in config.redis = { encrypt = true; source = "127.0.0.1:16379"; - target = "${myconfig.env.servers.eldiron.ips.main.ip4}:16379"; + target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379"; keyfile = "${config.secrets.location}/redis/spiped_eldiron_keyfile"; }; }; @@ -103,7 +103,7 @@ in user = "spiped"; group = "spiped"; permissions = "0400"; - text = myconfig.env.databases.redis.spiped_key; + text = config.myEnv.databases.redis.spiped_key; } ]; diff --git a/modules/private/default.nix b/modules/private/default.nix index 29bf2af..57bad43 100644 --- a/modules/private/default.nix +++ b/modules/private/default.nix @@ -67,6 +67,7 @@ set = { ssh = ./ssh; monitoring = ./monitoring; + environment = ./environment.nix; system = ./system.nix; }; in diff --git a/modules/private/dns.nix b/modules/private/dns.nix index b4772fc..fb90824 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver"; config = let @@ -61,13 +61,13 @@ allow-recursion { 127.0.0.1; }; allow-transfer { none; }; - notify-source ${myconfig.env.servers.eldiron.ips.main.ip4}; - notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6}; + notify-source ${config.myEnv.servers.eldiron.ips.main.ip4}; + notify-source-v6 ${lib.head config.myEnv.servers.eldiron.ips.main.ip6}; version none; hostname none; server-id none; ''; - zones = with myconfig.env.dns; + zones = with config.myEnv.dns; assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) != "."; assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) != "."; (map (conf: { @@ -94,10 +94,10 @@ ${conf.entries} ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then '' - mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4} - mx-2 IN A ${myconfig.env.servers.immaeEu.ips.main.ip4} - ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)} - ${builtins.concatStringsSep "\n" (map (i: "mx-2 IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)} + mx-1 IN A ${config.myEnv.servers.eldiron.ips.main.ip4} + mx-2 IN A ${config.myEnv.servers.immaeEu.ips.main.ip4} + ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") config.myEnv.servers.eldiron.ips.main.ip6)} + ${builtins.concatStringsSep "\n" (map (i: "mx-2 IN AAAA ${i}") config.myEnv.servers.immaeEu.ips.main.ip6)} ${lib.concatStringsSep "\n\n" (map (e: let n = if e.domain == "" then "@" else "${e.domain} "; @@ -122,8 +122,8 @@ ; https://support.google.com/a/answer/9261504 _mta-sts${suffix} IN TXT "v=STSv1;id=20190630054629Z" _smtp._tls${suffix} IN TXT "v=TLSRPTv1;rua=mailto:postmaster+mta-sts@immae.eu" - mta-sts${suffix} IN A ${myconfig.env.servers.eldiron.ips.main.ip4} - ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)} + mta-sts${suffix} IN A ${config.myEnv.servers.eldiron.ips.main.ip4} + ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") config.myEnv.servers.eldiron.ips.main.ip6)} ; Mail sender authentications ${n} IN TXT "v=spf1 mx ~all" @@ -132,7 +132,7 @@ immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF" "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" ) - eldiron._domainkey${suffix} IN TXT ${myconfig.env.mail.dkim.eldiron.public} + eldiron._domainkey${suffix} IN TXT ${config.myEnv.mail.dkim.eldiron.public} '' else ""} '') conf.withEmail)} '' + (if conf.name == "immae.eu" then '' diff --git a/modules/private/environment.nix b/modules/private/environment.nix new file mode 100644 index 0000000..2aa8b5e --- /dev/null +++ b/modules/private/environment.nix @@ -0,0 +1,1148 @@ +{ lib, ... }: +with lib; +with types; +with lists; +let + ldapOptions = { + base = mkOption { description = "Base of the LDAP tree"; type = str; }; + host = mkOption { description = "Host to access LDAP"; type = str; }; + root_dn = mkOption { description = "DN of the root user"; type = str; }; + root_pw = mkOption { description = "Hashed password of the root user"; type = str; }; + replication_dn = mkOption { description = "DN of the user allowed to replicate the LDAP directory"; type = str; }; + replication_pw = mkOption { description = "Password of the user allowed to replicate the LDAP directory"; type = str; }; + }; + mkLdapOptions = name: more: mkOption { + description = "${name} LDAP configuration"; + type = submodule { + options = ldapOptions // { + dn = mkOption { description = "DN of the ${name} user"; type = str; }; + password = mkOption { description = "password of the ${name} user"; type = str; }; + filter = mkOption { description = "Filter for ${name} users"; type = str; default = ""; }; + } // more; + }; + }; + mysqlOptions = { + host = mkOption { description = "Host to access Mysql"; type = str; }; + port = mkOption { description = "Port to access Mysql"; type = str; }; + socket = mkOption { description = "Socket to access Mysql"; type = path; }; + systemUsers = mkOption { + description = "Attrs of user-passwords allowed to access mysql"; + type = attrsOf str; + }; + pam = mkOption { + description = "PAM configuration for mysql"; + type = submodule { + options = { + dn = mkOption { description = "DN to connect as to check users"; type = str; }; + password = mkOption { description = "DN password to connect as to check users"; type = str; }; + filter = mkOption { description = "filter to match users"; type = str; }; + }; + }; + }; + }; + mkMysqlOptions = name: mkOption { + description = "${name} mysql configuration"; + type = submodule { + options = mysqlOptions // { + database = mkOption { description = "${name} database"; type = str; }; + user = mkOption { description = "${name} user"; type = str; }; + password = mkOption { description = "mysql password of the ${name} user"; type = str; }; + }; + }; + }; + psqlOptions = { + host = mkOption { description = "Host to access Postgresql"; type = str; }; + port = mkOption { description = "Port to access Postgresql"; type = str; }; + socket = mkOption { description = "Socket to access Postgresql"; type = path; }; + pam = mkOption { + description = "PAM configuration for psql"; + type = submodule { + options = { + dn = mkOption { description = "DN to connect as to check users"; type = str; }; + password = mkOption { description = "DN password to connect as to check users"; type = str; }; + filter = mkOption { description = "filter to match users"; type = str; }; + }; + }; + }; + }; + mkPsqlOptions = name: mkOption { + description = "${name} psql configuration"; + type = submodule { + options = psqlOptions // { + database = mkOption { description = "${name} database"; type = str; }; + schema = mkOption { description = "${name} schema"; type = nullOr str; default = null; }; + user = mkOption { description = "${name} user"; type = str; }; + password = mkOption { description = "psql password of the ${name} user"; type = str; }; + }; + }; + }; + redisOptions = { + host = mkOption { description = "Host to access Redis"; type = str; }; + port = mkOption { description = "Port to access Redis"; type = str; }; + socket = mkOption { description = "Socket to access Redis"; type = path; }; + dbs = mkOption { + description = "Attrs of db number. Each number should be unique to avoid collision!"; + type = attrsOf str; + }; + spiped_key = mkOption { + type = str; + description = '' + Key to use with spiped to make a secure channel to replication + ''; + }; + predixy = mkOption { + description = "Predixy configuration. Unused yet"; + type = submodule { + options = { + read = mkOption { type = str; description = "Read password"; }; + }; + }; + }; + }; + mkRedisOptions = name: mkOption { + description = "${name} redis configuration"; + type = submodule { + options = redisOptions // { + db = mkOption { description = "${name} database"; type = str; }; + }; + }; + }; +in +{ + options.myEnv = { + servers = mkOption { + description = '' + Attrs of servers information in the cluster (not necessarily handled by nixops) + ''; + default = {}; + type = attrsOf (submodule { + options = { + ldap = mkOption { + description = '' + LDAP credentials for the host + ''; + type = submodule { + options = { + password = mkOption { type = string; description = "Password for the LDAP connection"; }; + dn = mkOption { type = string; description = "DN for the LDAP connection"; }; + }; + }; + }; + ips = mkOption { + description = '' + attrs of ip4/ip6 grouped by section + ''; + type = attrsOf (submodule { + options = { + ip4 = mkOption { + type = string; + description = '' + ip4 address of the host + ''; + }; + ip6 = mkOption { + type = listOf string; + default = []; + description = '' + ip6 addresses of the host + ''; + }; + }; + }); + }; + }; + }); + }; + hetznerCloud = mkOption { + description = '' + Hetzner Cloud credential information + ''; + type = submodule { + options = { + authToken = mkOption { + type = str; + description = '' + The API auth token. + ''; + }; + }; + }; + }; + hetzner = mkOption { + description = '' + Hetzner credential information + ''; + type = submodule { + options = { + user = mkOption { type = str; description = "User"; }; + pass = mkOption { type = str; description = "Password"; }; + }; + }; + }; + sshd = mkOption { + description = '' + sshd service credential information + ''; + type = submodule { + options = { + ldap = mkOption { + description = '' + LDAP credentials for cn=ssh,ou=services,dc=immae,dc=eu dn + ''; + type = submodule { + options = { + password = mkOption { description = "Password"; type = str; }; + }; + }; + }; + }; + }; + }; + ports = mkOption { + description = '' + non-standard reserved ports. Must be unique! + ''; + type = attrsOf port; + default = {}; + apply = let + noDupl = x: builtins.length (builtins.attrValues x) == builtins.length (unique (builtins.attrValues x)); + in + x: if isAttrs x && noDupl x then x else throw "Non unique values for ports"; + }; + httpd = mkOption { + description = '' + httpd service credential information + ''; + type = submodule { + options = { + ldap = mkOption { + description = '' + LDAP credentials for cn=httpd,ou=services,dc=immae,dc=eu dn + ''; + type = submodule { + options = { + password = mkOption { description = "Password"; type = str; }; + }; + }; + }; + }; + }; + }; + ldap = mkOption { + description = '' + LDAP server configuration + ''; + type = submodule { + options = ldapOptions; + }; + }; + databases = mkOption { + description = "Databases configuration"; + type = submodule { + options = { + mysql = mkOption { + type = submodule { options = mysqlOptions; }; + description = "Mysql configuration"; + }; + redis = mkOption { + type = submodule { options = redisOptions; }; + description = "Redis configuration"; + }; + postgresql = mkOption { + type = submodule { options = psqlOptions; }; + description = "Postgresql configuration"; + }; + }; + }; + }; + jabber = mkOption { + description = "Jabber configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "Jabber" {}; + postgresql = mkPsqlOptions "Jabber"; + }; + }; + }; + users = mkOption { + description = "System and regular users uid/gid"; + type = attrsOf (submodule { + options = { + uid = mkOption { + description = "user uid"; + type = int; + }; + gid = mkOption { + description = "user gid"; + type = int; + }; + }; + }); + }; + dns = mkOption { + description = "DNS configuration"; + type = submodule { + options = { + soa = mkOption { + description = "SOA information"; + type = submodule { + options = { + serial = mkOption { + description = "Serial number. Should be incremented at each change and unique"; + type = str; + }; + refresh = mkOption { + description = "Refresh time"; + type = str; + }; + retry = mkOption { + description = "Retry time"; + type = str; + }; + expire = mkOption { + description = "Expire time"; + type = str; + }; + ttl = mkOption { + description = "Default TTL time"; + type = str; + }; + email = mkOption { + description = "hostmaster e-mail"; + type = str; + }; + primary = mkOption { + description = "Primary NS"; + type = str; + }; + }; + }; + }; + ns = mkOption { + description = "Attrs of NS servers group"; + example = { + foo = { + "ns1.foo.com" = [ "198.51.100.10" "2001:db8:abcd::1" ]; + "ns2.foo.com" = [ "198.51.100.15" "2001:db8:1234::1" ]; + }; + }; + type = attrsOf (attrsOf (listOf str)); + }; + slaveZones = mkOption { + description = "List of slave zones"; + type = listOf (submodule { + options = { + name = mkOption { type = str; description = "zone name"; }; + masters = mkOption { + description = "NS master groups of this zone"; + type = listOf str; + }; + }; + }); + }; + masterZones = mkOption { + description = "List of master zones"; + type = listOf (submodule { + options = { + name = mkOption { type = str; description = "zone name"; }; + slaves = mkOption { + description = "NS slave groups of this zone"; + type = listOf str; + }; + ns = mkOption { + description = "groups names that should have their NS entries listed here"; + type = listOf str; + }; + extra = mkOption { + description = "Extra zone configuration for bind"; + example = '' + notify yes; + ''; + type = lines; + }; + entries = mkOption { type = lines; description = "Regular entries of the NS zone"; }; + withEmail = mkOption { + description = "List of domains that should have mail entries (MX, dkim, SPF, ...)"; + default = []; + type = listOf (submodule { + options = { + domain = mkOption { type = str; description = "Which subdomain is concerned"; }; + send = mkOption { type = bool; description = "Whether there can be e-mails originating from the subdomain"; }; + receive = mkOption { type = bool; description = "Whether there can be e-mails arriving to the subdomain"; }; + }; + }); + }; + }; + }); + }; + }; + }; + }; + backup = mkOption { + description = '' + Remote backup with duplicity + ''; + type = submodule { + options = { + password = mkOption { type = str; description = "Password for encrypting files"; }; + remote = mkOption { type = str; description = "Remote url access"; }; + accessKeyId = mkOption { type = str; description = "Remote access-key"; }; + secretAccessKey = mkOption { type = str; description = "Remote access secret"; }; + }; + }; + }; + rsync_backup = mkOption { + description ='' + Rsync backup configuration from controlled host + ''; + type = submodule { + options = { + mailto = mkOption { type = str; description = "Where to e-mail on error"; }; + ssh_key = mkOption { + description = "SSH key information"; + type = submodule { + options = { + public = mkOption { type = str; description = "Public part of the key"; }; + private = mkOption { type = lines; description = "Private part of the key"; }; + }; + }; + }; + profiles = mkOption { + description = "Attrs of profiles to backup"; + type = attrsOf (submodule { + options = { + keep = mkOption { type = int; description = "Number of backups to keep"; }; + login = mkOption { type = str; description = "Login to connect to host"; }; + port = mkOption { type = str; default = "22"; description = "Port to connect to host"; }; + host = mkOption { type = str; description = "Host to connect to"; }; + host_key = mkOption { type = str; description = "Host key"; }; + host_key_type = mkOption { type = str; description = "Host key type"; }; + parts = mkOption { + description = "Parts to backup for this host"; + type = attrsOf (submodule { + options = { + remote_folder = mkOption { type = path; description = "Remote folder to backup";}; + exclude_from = mkOption { + type = listOf path; + default = []; + description = "List of folders/files to exclude from the backup"; + }; + files_from = mkOption { + type = listOf path; + default = []; + description = "List of folders/files to backup in the base folder"; + }; + args = mkOption { + type = nullOr str; + default = null; + description = "Extra arguments to pass to rsync"; + }; + }; + }); + }; + }; + }); + }; + }; + }; + }; + monitoring = mkOption { + description = "Monitoring configuration"; + type = submodule { + options = { + status_url = mkOption { type = str; description = "URL to push status to"; }; + status_token = mkOption { type = str; description = "Token for the status url"; }; + email = mkOption { type = str; description = "Admin E-mail"; }; + }; + }; + }; + mpd = mkOption { + description = "MPD configuration"; + type = submodule { + options = { + folder = mkOption { type = str; description = "Folder to serve from the MPD instance"; }; + password = mkOption { type = str; description = "Password to connect to the MPD instance"; }; + host = mkOption { type = str; description = "Host to connect to the MPD instance"; }; + port = mkOption { type = str; description = "Port to connect to the MPD instance"; }; + }; + }; + }; + ftp = mkOption { + description = "FTP configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "FTP" {}; + }; + }; + }; + mail = mkOption { + description = "Mail configuration"; + type = submodule { + options = { + dmarc = mkOption { + description = "DMARC configuration"; + type = submodule { + options = { + ignore_hosts = mkOption { + type = lines; + description = '' + Hosts to ignore when checking for dmarc + ''; + }; + }; + }; + }; + dkim = mkOption { + description = "DKIM configuration"; + type = attrsOf (submodule { + options = { + public = mkOption { + type = str; + example = '' + ( "v=DKIM1; k=rsa; " + "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3w1a2aMxWw9+hdcmbqX4UevcVqr204y0K73Wdc7MPZiOOlUJQYsMNSYR1Y/SC7jmPKeitpcJCpQgn/cveJZbuikjjPLsDReHyFEYmC278ZLRTELHx6f1IXM8WE08JIRT69CfZiMi1rVcOh9qRT4F93PyjCauU8Y5hJjtg9ThsWwIDAQAB" ) + ''; + description = "Public entry to put in DNS TXT field"; + }; + private = mkOption { type = str; description = "Private key"; }; + }; + }); + }; + postfix = mkOption { + description = "Postfix configuration"; + type = submodule { + options = { + additional_mailbox_domains = mkOption { + description = '' + List of domains that are used as mailbox final destination, in addition to those defined in the DNS records + ''; + type = listOf str; + }; + mysql = mkMysqlOptions "Postfix"; + backup_domains = mkOption { + description = '' + Domains that are accepted for relay as backup domain + ''; + type = attrsOf (submodule { + options = { + domains = mkOption { type = listOf str; description = "Domains list"; }; + relay_restrictions = mkOption { + type = lines; + description = '' + Restrictions for relaying the e-mails from the domains + ''; + }; + recipient_maps = mkOption { + description = '' + Recipient map to accept relay for. + Must be specified for domain, the rules apply to everyone! + ''; + type = listOf (submodule { + options = { + type = mkOption { + type = enum [ "hash" ]; + description = "Map type"; + }; + content = mkOption { + type = str; + description = "Map content"; + }; + }; + }); + }; + }; + }); + }; + }; + }; + }; + dovecot = mkOption { + description = "Dovecot configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "Dovecot" { + pass_attrs = mkOption { type = str; description = "Password attribute in LDAP"; }; + user_attrs = mkOption { type = str; description = "User attribute mapping in LDAP"; }; + iterate_attrs = mkOption { type = str; description = "User attribute mapping for listing in LDAP"; }; + iterate_filter = mkOption { type = str; description = "User attribute filter for listing in LDAP"; }; + }; + }; + }; + }; + rspamd = mkOption { + description = "rspamd configuration"; + type = submodule { + options = { + redis = mkRedisOptions "Redis"; + read_password_hashed = mkOption { type = str; description = "Hashed read password for rspamd"; }; + write_password_hashed = mkOption { type = str; description = "Hashed write password for rspamd"; }; + read_password = mkOption { + type = str; + description = "Read password for rspamd. Unused"; + apply = x: ""; + }; + write_password = mkOption { + type = str; + description = "Write password for rspamd. Unused"; + apply = x: ""; + }; + }; + }; + }; + scripts = mkOption { + description = "Mail script recipients"; + type = attrsOf (submodule { + options = { + src = mkOption { + description = '' + git source to fetch the script from. + It must have a default.nix file as its root accepting a scriptEnv parameter + ''; + type = submodule { + options = { + url = mkOption { type = str; description = "git url to fetch"; }; + rev = mkOption { type = str; description = "git reference to fetch"; }; + }; + }; + }; + env = mkOption { + description = "Variables to pass to the script"; + type = unspecified; + }; + }; + }); + }; + }; + }; + }; + buildbot = mkOption { + description = "Buildbot configuration"; + type = submodule { + options = { + user = mkOption { + description = "Buildbot user"; + type = submodule { + options = { + uid = mkOption { + description = "user uid"; + type = int; + }; + gid = mkOption { + description = "user gid"; + type = int; + }; + }; + }; + }; + ldap = mkOption { + description = "Ldap configuration for buildbot"; + type = submodule { + options = { + password = mkOption { type = str; description = "Buildbot password"; }; + }; + }; + }; + projects = mkOption { + description = "Projects to make a buildbot for"; + type = attrsOf (submodule { + options = { + name = mkOption { type = str; description = "Project name"; }; + packages = mkOption { + type = unspecified; + example = literalExample '' + pkgs: [ pkgs.bash pkgs.git pkgs.gzip pkgs.openssh ]; + ''; + description = '' + Function. + Builds packages list to make available to buildbot project. + Takes pkgs as argument. + ''; + }; + pythonPackages = mkOption { + type = unspecified; + example = literalExample '' + p: pkgs: [ pkgs.python3Packages.pip ]; + ''; + description = '' + Function. + Builds python packages list to make available to buildbot project. + Takes buildbot python module as first argument and pkgs as second argument in order to augment the python modules list. + ''; + }; + pythonPathHome = mkOption { type = bool; description = "Whether to add project’s python home to python path"; }; + secrets = mkOption { + type = attrsOf str; + description = "Secrets for the project to dump as files"; + }; + environment = mkOption { + type = attrsOf str; + description = '' + Environment variables for the project. + BUILDBOT_ is prefixed to the variable names + ''; + }; + activationScript = mkOption { + type = lines; + description = '' + Activation script to run during deployment + ''; + }; + builderPaths = mkOption { + type = attrsOf unspecified; + default = {}; + description = '' + Attrs of functions to make accessible specifically per builder. + Takes pkgs as argument and should return a single path containing binaries. + This path will be accessible as BUILDBOT_PATH_ + ''; + }; + webhookTokens = mkOption { + type = nullOr (listOf str); + default = null; + description = '' + List of tokens allowed to push to project’s change_hook/base endpoint + ''; + }; + }; + }); + }; + }; + }; + }; + tools = mkOption { + description = "Tools configurations"; + type = submodule { + options = { + davical = mkOption { + description = "Davical configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Davical"; + ldap = mkLdapOptions "Davical" {}; + }; + }; + }; + diaspora = mkOption { + description = "Diaspora configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Diaspora"; + redis = mkRedisOptions "Diaspora"; + ldap = mkLdapOptions "Diaspora" {}; + secret_token = mkOption { type = str; description = "Secret token"; }; + }; + }; + }; + etherpad-lite = mkOption { + description = "Etherpad configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Etherpad"; + ldap = mkLdapOptions "Etherpad" { + group_filter = mkOption { type = str; description = "Filter for groups"; }; + }; + session_key = mkOption { type = str; description = "Session key"; }; + api_key = mkOption { type = str; description = "API key"; }; + redirects = mkOption { type = str; description = "Redirects for apache"; }; + }; + }; + }; + gitolite = mkOption { + description = "Gitolite configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "Gitolite" {}; + }; + }; + }; + kanboard = mkOption { + description = "Kanboard configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Kanboard"; + ldap = mkLdapOptions "Kanboard" { + admin_dn = mkOption { type = str; description = "Admin DN"; }; + }; + }; + }; + }; + mantisbt = mkOption { + description = "Mantisbt configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Mantisbt"; + ldap = mkLdapOptions "Mantisbt" {}; + master_salt = mkOption { type = str; description = "Master salt for password hash"; }; + }; + }; + }; + mastodon = mkOption { + description = "Mastodon configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Mastodon"; + redis = mkRedisOptions "Mastodon"; + ldap = mkLdapOptions "Mastodon" {}; + paperclip_secret = mkOption { type = str; description = "Paperclip secret"; }; + otp_secret = mkOption { type = str; description = "OTP secret"; }; + secret_key_base = mkOption { type = str; description = "Secret key base"; }; + vapid = mkOption { + description = "vapid key"; + type = submodule { + options = { + private = mkOption { type = str; description = "Private key"; }; + public = mkOption { type = str; description = "Public key"; }; + }; + }; + }; + }; + }; + }; + mediagoblin = mkOption { + description = "Mediagoblin configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Mediagoblin"; + redis = mkRedisOptions "Mediagoblin"; + ldap = mkLdapOptions "Mediagoblin" {}; + }; + }; + }; + nextcloud = mkOption { + description = "Nextcloud configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Peertube"; + redis = mkRedisOptions "Peertube"; + password_salt = mkOption { type = str; description = "Password salt"; }; + instance_id = mkOption { type = str; description = "Instance ID"; }; + secret = mkOption { type = str; description = "App secret"; }; + }; + }; + }; + peertube = mkOption { + description = "Peertube configuration"; + type = submodule { + options = { + listenPort = mkOption { type = port; description = "Port to listen to"; }; + postgresql = mkPsqlOptions "Peertube"; + redis = mkRedisOptions "Peertube"; + ldap = mkLdapOptions "Peertube" {}; + }; + }; + }; + phpldapadmin = mkOption { + description = "phpLdapAdmin configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "phpldapadmin" {}; + }; + }; + }; + rompr = mkOption { + description = "Rompr configuration"; + type = submodule { + options = { + mpd = mkOption { + description = "MPD configuration"; + type = submodule { + options = { + host = mkOption { type = str; description = "Host for MPD"; }; + port = mkOption { type = port; description = "Port to access MPD host"; }; + }; + }; + }; + }; + }; + }; + roundcubemail = mkOption { + description = "Roundcubemail configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "TT-RSS"; + secret = mkOption { type = str; description = "Secret"; }; + }; + }; + }; + shaarli = mkOption { + description = "Shaarli configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "Shaarli" {}; + }; + }; + }; + task = mkOption { + description = "Taskwarrior configuration"; + type = submodule { + options = { + ldap = mkLdapOptions "Taskwarrior" {}; + taskwarrior-web = mkOption { + description = "taskwarrior-web profiles"; + type = attrsOf (submodule { + options = { + uid = mkOption { + type = listOf str; + description = "List of ldap uids having access to this profile"; + }; + org = mkOption { type = str; description = "Taskd organisation"; }; + key = mkOption { type = str; description = "Taskd key"; }; + date = mkOption { type = str; description = "Preferred date format"; }; + }; + }); + }; + }; + }; + }; + ttrss = mkOption { + description = "TT-RSS configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "TT-RSS"; + ldap = mkLdapOptions "TT-RSS" {}; + }; + }; + }; + wallabag = mkOption { + description = "Wallabag configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Wallabag"; + ldap = mkLdapOptions "Wallabag" { + admin_filter = mkOption { type = str; description = "Admin users filter"; }; + }; + redis = mkRedisOptions "Wallabag"; + secret = mkOption { type = str; description = "App secret"; }; + }; + }; + }; + ympd = mkOption { + description = "Ympd configuration"; + type = submodule { + options = { + listenPort = mkOption { type = port; description = "Port to listen to"; }; + mpd = mkOption { + description = "MPD configuration"; + type = submodule { + options = { + password = mkOption { type = str; description = "Password to access MPD host"; }; + host = mkOption { type = str; description = "Host for MPD"; }; + port = mkOption { type = port; description = "Port to access MPD host"; }; + }; + }; + }; + }; + }; + }; + yourls = mkOption { + description = "Yourls configuration"; + type = submodule { + options = { + mysql = mkMysqlOptions "Yourls"; + ldap = mkLdapOptions "Yourls" {}; + cookieKey = mkOption { type = str; description = "Cookie key"; }; + }; + }; + }; + }; + }; + }; + websites = mkOption { + description = "Websites configurations"; + type = submodule { + options = { + aten = mkOption { + description = "Aten configurations by environment"; + type = + let + atenSubmodule = mkOption { + description = "environment configuration"; + type = submodule { + options = { + environment = mkOption { type = str; description = "Symfony environment"; }; + secret = mkOption { type = str; description = "Symfony App secret"; }; + postgresql = mkPsqlOptions "Aten"; + }; + }; + }; + in + submodule { + options = { + production = atenSubmodule; + integration = atenSubmodule; + }; + }; + }; + chloe = mkOption { + description = "Chloe configurations by environment"; + type = + let + chloeSubmodule = mkOption { + description = "environment configuration"; + type = submodule { + options = { + environment = mkOption { type = str; description = "Symfony environment"; }; + mysql = mkMysqlOptions "Chloe"; + ldap = mkLdapOptions "Chloe" {}; + }; + }; + }; + in + submodule { + options = { + production = chloeSubmodule; + integration = chloeSubmodule; + }; + }; + }; + connexionswing = mkOption { + description = "Connexionswing configurations by environment"; + type = + let + csSubmodule = mkOption { + description = "environment configuration"; + type = submodule { + options = { + environment = mkOption { type = str; description = "Symfony environment"; }; + mysql = mkMysqlOptions "Connexionswing"; + secret = mkOption { type = str; description = "Symfony App secret"; }; + email = mkOption { type = str; description = "Symfony email notification"; }; + }; + }; + }; + in + submodule { + options = { + production = csSubmodule; + integration = csSubmodule; + }; + }; + }; + jerome = mkOption { + description = "Naturaloutil configuration"; + type = submodule { + options = { + mysql = mkMysqlOptions "Naturaloutil"; + server_admin = mkOption { type = str; description = "Server admin e-mail"; }; + }; + }; + }; + telioTortay = mkOption { + description = "Telio Tortay configuration"; + type = submodule { + options = { + server_admin = mkOption { type = str; description = "Server admin e-mail"; }; + }; + }; + }; + ludivinecassal = mkOption { + description = "Ludivinecassal configurations by environment"; + type = + let + lcSubmodule = mkOption { + description = "environment configuration"; + type = submodule { + options = { + environment = mkOption { type = str; description = "Symfony environment"; }; + mysql = mkMysqlOptions "LudivineCassal"; + ldap = mkLdapOptions "LudivineCassal" {}; + secret = mkOption { type = str; description = "Symfony App secret"; }; + }; + }; + }; + in + submodule { + options = { + production = lcSubmodule; + integration = lcSubmodule; + }; + }; + }; + emilia = mkOption { + description = "Emilia configuration"; + type = submodule { + options = { + postgresql = mkPsqlOptions "Emilia"; + }; + }; + }; + florian = mkOption { + description = "Florian configuration"; + type = submodule { + options = { + server_admin = mkOption { type = str; description = "Server admin e-mail"; }; + }; + }; + }; + nassime = mkOption { + description = "Nassime configuration"; + type = submodule { + options = { + server_admin = mkOption { type = str; description = "Server admin e-mail"; }; + }; + }; + }; + piedsjaloux = mkOption { + description = "Piedsjaloux configurations by environment"; + type = + let + pjSubmodule = mkOption { + description = "environment configuration"; + type = submodule { + options = { + environment = mkOption { type = str; description = "Symfony environment"; }; + mysql = mkMysqlOptions "Piedsjaloux"; + secret = mkOption { type = str; description = "Symfony App secret"; }; + }; + }; + }; + in + submodule { + options = { + production = pjSubmodule; + integration = pjSubmodule; + }; + }; + }; + tellesflorian = mkOption { + description = "Tellesflorian configurations by environment"; + type = + let + tfSubmodule = mkOption { + description = "environment configuration"; + type = submodule { + options = { + environment = mkOption { type = str; description = "Symfony environment"; }; + mysql = mkMysqlOptions "Tellesflorian"; + secret = mkOption { type = str; description = "Symfony App secret"; }; + invite_passwords = mkOption { type = str; description = "Password basic auth"; }; + }; + }; + }; + in + submodule { + options = { + integration = tfSubmodule; + }; + }; + }; + }; + }; + }; + + privateFiles = mkOption { + type = path; + description = '' + Path to secret files to make available during build + ''; + }; + }; + options.hostEnv = { + FQDN = mkOption { + type = string; + description = '' + FQDN of the current host. + ''; + }; + }; +} diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 9b6a98f..e3c1f70 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; }; in @@ -55,17 +55,17 @@ in user = "ftp"; group = "ftp"; text = '' - LDAPServer ${myconfig.env.ftp.ldap.host} + LDAPServer ${config.myEnv.ftp.ldap.host} LDAPPort 389 LDAPUseTLS True - LDAPBaseDN ${myconfig.env.ftp.ldap.base} - LDAPBindDN ${myconfig.env.ftp.ldap.dn} - LDAPBindPW ${myconfig.env.ftp.ldap.password} + LDAPBaseDN ${config.myEnv.ftp.ldap.base} + LDAPBindDN ${config.myEnv.ftp.ldap.dn} + LDAPBindPW ${config.myEnv.ftp.ldap.password} LDAPDefaultUID 500 LDAPForceDefaultUID False LDAPDefaultGID 100 LDAPForceDefaultGID False - LDAPFilter ${myconfig.env.ftp.ldap.filter} + LDAPFilter ${config.myEnv.ftp.ldap.filter} LDAPAuthMethod BIND diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 658979d..9dfa04d 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.gitolite; in { @@ -32,7 +32,7 @@ in { name = "gitolite_ldap_groups.sh"; file = ./gitolite_ldap_groups.sh; vars = { - LDAP_PASS = myconfig.env.tools.gitolite.ldap.password; + LDAP_PASS = config.myEnv.tools.gitolite.ldap.password; }; paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ]; }; diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 8be21a1..839939c 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { imports = [ ./milters.nix @@ -14,7 +14,7 @@ extraDomains = let zonesWithMx = builtins.filter (zone: lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0 - ) myconfig.env.dns.masterZones; + ) config.myEnv.dns.masterZones; mxs = map (zone: "mx-1.${zone.name}") zonesWithMx; in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); }; diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 470fc1a..16053ea 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let sieve_bin = pkgs.runCommand "sieve_bin" { buildInputs = [ pkgs.makeWrapper ]; @@ -24,26 +24,26 @@ in group = config.services.dovecot2.group; permissions = "0400"; text = '' - hosts = ${myconfig.env.mail.dovecot.ldap.host} + hosts = ${config.myEnv.mail.dovecot.ldap.host} tls = yes - dn = ${myconfig.env.mail.dovecot.ldap.dn} - dnpass = ${myconfig.env.mail.dovecot.ldap.password} + dn = ${config.myEnv.mail.dovecot.ldap.dn} + dnpass = ${config.myEnv.mail.dovecot.ldap.password} auth_bind = yes ldap_version = 3 - base = ${myconfig.env.mail.dovecot.ldap.base} + base = ${config.myEnv.mail.dovecot.ldap.base} scope = subtree - pass_filter = ${myconfig.env.mail.dovecot.ldap.filter} - pass_attrs = ${myconfig.env.mail.dovecot.ldap.pass_attrs} + pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} + pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} - user_attrs = ${myconfig.env.mail.dovecot.ldap.user_attrs} - user_filter = ${myconfig.env.mail.dovecot.ldap.filter} - iterate_attrs = ${myconfig.env.mail.dovecot.ldap.iterate_attrs} - iterate_filter = ${myconfig.env.mail.dovecot.ldap.iterate_filter} + user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} + user_filter = ${config.myEnv.mail.dovecot.ldap.filter} + iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} + iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} ''; } ]; diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 123af4a..6b033e8 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { options.myServices.mail.milters.sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; @@ -19,7 +19,7 @@ user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0400"; - text = myconfig.env.mail.dkim.eldiron.private; + text = config.myEnv.mail.dkim.eldiron.private; } { dest = "opendkim/eldiron.txt"; @@ -27,14 +27,14 @@ group = config.services.opendkim.group; permissions = "0444"; text = '' - eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; + eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; } { dest = "opendmarc/ignore.hosts"; user = config.services.opendmarc.user; group = config.services.opendmarc.group; permissions = "0400"; - text = myconfig.env.mail.dmarc.ignore_hosts; + text = config.myEnv.mail.dmarc.ignore_hosts; } ]; users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; @@ -46,7 +46,7 @@ (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") (zone.withEmail or []) ) - myconfig.env.dns.masterZones + config.myEnv.dns.masterZones )); keyPath = "${config.secrets.location}/opendkim"; selector = "eldiron"; diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index a679027..f8f86f6 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { config = lib.mkIf config.myServices.mail.enable { services.duplyBackup.profiles.mail.excludeFile = '' @@ -13,10 +13,10 @@ text = '' # We need to specify that option to trigger ssl connection tls_ciphers = TLSv1.2 - user = ${myconfig.env.mail.postfix.mysql.user} - password = ${myconfig.env.mail.postfix.mysql.password} - hosts = unix:${myconfig.env.mail.postfix.mysql.socket} - dbname = ${myconfig.env.mail.postfix.mysql.database} + user = ${config.myEnv.mail.postfix.mysql.user} + password = ${config.myEnv.mail.postfix.mysql.password} + hosts = unix:${config.myEnv.mail.postfix.mysql.socket} + dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination FROM forwardings_merge WHERE @@ -41,10 +41,10 @@ text = '' # We need to specify that option to trigger ssl connection tls_ciphers = TLSv1.2 - user = ${myconfig.env.mail.postfix.mysql.user} - password = ${myconfig.env.mail.postfix.mysql.password} - hosts = unix:${myconfig.env.mail.postfix.mysql.socket} - dbname = ${myconfig.env.mail.postfix.mysql.database} + user = ${config.myEnv.mail.postfix.mysql.user} + password = ${config.myEnv.mail.postfix.mysql.password} + hosts = unix:${config.myEnv.mail.postfix.mysql.socket} + dbname = ${config.myEnv.mail.postfix.mysql.database} result_format = /%d/%u query = SELECT DISTINCT '%s' FROM mailboxes @@ -68,10 +68,10 @@ text = '' # We need to specify that option to trigger ssl connection tls_ciphers = TLSv1.2 - user = ${myconfig.env.mail.postfix.mysql.user} - password = ${myconfig.env.mail.postfix.mysql.password} - hosts = unix:${myconfig.env.mail.postfix.mysql.socket} - dbname = ${myconfig.env.mail.postfix.mysql.database} + user = ${config.myEnv.mail.postfix.mysql.user} + password = ${config.myEnv.mail.postfix.mysql.password} + hosts = unix:${config.myEnv.mail.postfix.mysql.socket} + dbname = ${config.myEnv.mail.postfix.mysql.database} query = SELECT DISTINCT destination FROM forwardings_merge WHERE @@ -132,7 +132,7 @@ ''; scripts = lib.attrsets.mapAttrs (n: v: toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; }) - ) myconfig.env.mail.scripts; + ) config.myEnv.mail.scripts; in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts); mapFiles = let recipient_maps = let @@ -145,7 +145,7 @@ pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps; in lib.attrsets.filterAttrs (k: v: v != null) ( lib.attrsets.listToAttrs (lib.flatten ( - lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains + lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains )) ); relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) ( @@ -155,7 +155,7 @@ then pkgs.writeText "recipient_access_${n}" v.relay_restrictions else null ) - ) myconfig.env.mail.postfix.backup_domains + ) config.myEnv.mail.postfix.backup_domains ); virtual_map = { virtual = pkgs.writeText "postfix-virtual" ( @@ -164,7 +164,7 @@ n: v: '' script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu '' - ) myconfig.env.mail.scripts + ) config.myEnv.mail.scripts ) ); }; @@ -183,7 +183,7 @@ ### Virtual mailboxes config virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}"; - virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains + virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains ++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map (zone: map (e: if e.receive @@ -192,17 +192,17 @@ ) (zone.withEmail or []) ) - myconfig.env.dns.masterZones + config.myEnv.dns.masterZones ))); virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}"; dovecot_destination_recipient_limit = "1"; virtual_transport = "dovecot"; ### Relay domains - relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains); + relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains); relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v: lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps - ) myconfig.env.mail.postfix.backup_domains); + ) config.myEnv.mail.postfix.backup_domains); smtpd_relay_restrictions = [ "permit_mynetworks" "permit_sasl_authenticated" @@ -211,7 +211,7 @@ if lib.attrsets.hasAttr "relay_restrictions" v then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ] else [] - ) myconfig.env.mail.postfix.backup_domains); + ) config.myEnv.mail.postfix.backup_domains); ### Additional smtpd configuration smtpd_tls_received_header = "yes"; @@ -222,8 +222,8 @@ smtp_tls_loglevel = "1"; ### Force ip bind for smtp - smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4; - smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6; + smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4; + smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6; # #Unneeded if postfix can only send e-mail from "self" domains # #smtp_sasl_auth_enable = "yes"; diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix index b5f64d8..4d55fc2 100644 --- a/modules/private/mail/rspamd.nix +++ b/modules/private/mail/rspamd.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { options.myServices.mail.rspamd.sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; @@ -43,14 +43,14 @@ }; locals = { "redis.conf".text = '' - servers = "${myconfig.env.mail.rspamd.redis.socket}"; - db = "${myconfig.env.mail.rspamd.redis.db}"; + servers = "${config.myEnv.mail.rspamd.redis.socket}"; + db = "${config.myEnv.mail.rspamd.redis.db}"; ''; "classifier-bayes.conf".text = '' users_enabled = true; backend = "redis"; - servers = "${myconfig.env.mail.rspamd.redis.socket}"; - database = "${myconfig.env.mail.rspamd.redis.db}"; + servers = "${config.myEnv.mail.rspamd.redis.socket}"; + database = "${config.myEnv.mail.rspamd.redis.db}"; autolearn = true; cache { backend = "redis"; @@ -69,8 +69,8 @@ workers = { controller = { extraConfig = '' - enable_password = "${myconfig.env.mail.rspamd.write_password_hashed}"; - password = "${myconfig.env.mail.rspamd.read_password_hashed}"; + enable_password = "${config.myEnv.mail.rspamd.write_password_hashed}"; + password = "${config.myEnv.mail.rspamd.read_password_hashed}"; ''; bindSockets = [ { socket = config.myServices.mail.rspamd.sockets.worker-controller; diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix index e44b127..d6c91ac 100644 --- a/modules/private/monitoring/default.nix +++ b/modules/private/monitoring/default.nix @@ -1,4 +1,4 @@ -{ config, myconfig, pkgs, lib, name, hostFQDN, ... }: +{ config, pkgs, lib, name, ... }: let myplugins = pkgs.runCommand "buildplugins" { buildInputs = [ pkgs.makeWrapper pkgs.perl ]; @@ -38,7 +38,7 @@ let }; }; commonObjects = pkgs.callPackage ./objects_common.nix ({ - inherit hostFQDN; + hostFQDN = config.hostEnv.FQDN; sudo = "/run/wrappers/bin/sudo"; } // builtins.getAttr name commonConfig); hostObjects = @@ -113,7 +113,7 @@ in enable = true; mode = "0644"; user = "root"; - text = "MAILADDR ${myconfig.env.monitoring.email}"; + text = "MAILADDR ${config.myEnv.monitoring.email}"; }; # needed since extraResource is not in the closure @@ -125,15 +125,15 @@ in use_syslog=1 log_initial_states=1 date_format=iso8601 - admin_email=${myconfig.env.monitoring.email} + admin_email=${config.myEnv.monitoring.email} obsess_over_services=1 ocsp_command=notify-master ''; extraResource = '' $USER2$=${myplugins} - $USER200$=${myconfig.env.monitoring.status_url} - $USER201$=${myconfig.env.monitoring.status_token} + $USER200$=${config.myEnv.monitoring.status_url} + $USER201$=${config.myEnv.monitoring.status_token} ''; objectDefs = toObjects commonObjects + toObjects hostObjects; }; diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix index c7e2486..1e6e666 100644 --- a/modules/private/mpd.nix +++ b/modules/private/mpd.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { options.myServices.mpd.enable = lib.mkEnableOption "enable MPD"; config = lib.mkIf config.myServices.mpd.enable { @@ -9,7 +9,7 @@ { dest = "mpd"; permissions = "0400"; - text = myconfig.env.mpd.password; + text = config.myEnv.mpd.password; } { dest = "mpd-config"; @@ -17,7 +17,7 @@ user = "mpd"; group = "mpd"; text = '' - password "${myconfig.env.mpd.password}@read,add,control,admin" + password "${config.myEnv.mpd.password}@read,add,control,admin" ''; } ]; @@ -32,7 +32,7 @@ services.mpd = { enable = true; network.listenAddress = "any"; - musicDirectory = myconfig.env.mpd.folder; + musicDirectory = config.myEnv.mpd.folder; extraConfig = '' include "/var/secrets/mpd-config" audio_output { diff --git a/modules/private/pub/default.nix b/modules/private/pub/default.nix index 835bcec..790395c 100644 --- a/modules/private/pub/default.nix +++ b/modules/private/pub/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: { options = { myServices.pub.enable = lib.mkOption { @@ -43,7 +43,7 @@ createHome = true; description = "Restricted shell user"; home = "/var/lib/pub"; - uid = myconfig.env.users.pub.uid; + uid = config.myEnv.users.pub.uid; useDefaultShell = true; packages = [ restrict diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix index d4c1ab3..1699104 100644 --- a/modules/private/ssh/default.nix +++ b/modules/private/ssh/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.ssh; in @@ -56,7 +56,7 @@ in user = "nobody"; group = "nogroup"; permissions = "0400"; - text = myconfig.env.sshd.ldap.password; + text = config.myEnv.sshd.ldap.password; }]; system.activationScripts.sshd = { deps = [ "secrets" ]; diff --git a/modules/private/system.nix b/modules/private/system.nix index 1ddfd2e..c0291b0 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -1,4 +1,4 @@ -{ pkgs, privateFiles, lib, ... }: +{ pkgs, lib, ... }: { config = { services.duplyBackup.profiles.system = { @@ -16,10 +16,6 @@ _module.args = { pkgsNext = import {}; pkgsPrevious = import {}; - myconfig = { - inherit privateFiles; - env = import "${privateFiles}/environment.nix"; - }; }; services.journald.extraConfig = '' diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 5d692c6..84e52d5 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -1,15 +1,16 @@ { privateFiles }: -{ config, pkgs, myconfig, resources, ... }: +{ config, pkgs, resources, ... }: { boot.kernelPackages = pkgs.linuxPackages_latest; - _module.args.privateFiles = privateFiles; - _module.args.hostFQDN = "backup-2.v.immae.eu"; + myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + hostEnv.FQDN = "backup-2.v.immae.eu"; + imports = builtins.attrValues (import ../..); deployment = { targetEnv = "hetznerCloud"; hetznerCloud = { - authToken = myconfig.env.hetznerCloud.authToken; + authToken = config.myEnv.hetznerCloud.authToken; datacenter = "hel1-dc2"; location ="hel1"; serverType = "cx11"; @@ -27,10 +28,10 @@ firewall.enable = true; interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.backup-2.ips); + (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.myEnv.servers.backup-2.ips); interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - myconfig.env.servers.backup-2.ips); + config.myEnv.servers.backup-2.ips); defaultMailServer = { directDelivery = true; @@ -48,10 +49,10 @@ services.rsyncBackup = { mountpoint = "/backup2"; - mailto = myconfig.env.rsync_backup.mailto; - profiles = myconfig.env.rsync_backup.profiles; - ssh_key_public = myconfig.env.rsync_backup.ssh_key.public; - ssh_key_private = myconfig.env.rsync_backup.ssh_key.private; + mailto = config.myEnv.rsync_backup.mailto; + profiles = config.myEnv.rsync_backup.profiles; + ssh_key_public = config.myEnv.rsync_backup.ssh_key.public; + ssh_key_private = config.myEnv.rsync_backup.ssh_key.private; }; myServices.monitoring.enable = true; @@ -62,7 +63,7 @@ hosts = { eldiron = { slot = "backup_2"; - connection = "postgresql://backup-2:${myconfig.env.ldap.backup-2.password}@eldiron.immae.eu"; + connection = "postgresql://backup-2:${config.myEnv.servers.backup-2.ldap.password}@eldiron.immae.eu"; }; }; }; @@ -73,12 +74,12 @@ eldiron = { serverId = 2; # mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4 - host = myconfig.env.servers.eldiron.ips.main.ip4; + host = config.myEnv.servers.eldiron.ips.main.ip4; port = "3306"; user = "backup-2"; - password = myconfig.env.ldap.backup-2.password; + password = config.myEnv.servers.backup-2.ldap.password; dumpUser = "root"; - dumpPassword = myconfig.env.databases.mysql.systemUsers.root; + dumpPassword = config.myEnv.databases.mysql.systemUsers.root; }; }; }; @@ -97,10 +98,10 @@ base = "/backup2"; hosts = { eldiron = { - url = "ldaps://${myconfig.env.ldap.host}:636"; - dn = myconfig.env.ldap.replication_dn; - password = myconfig.env.ldap.replication_pw; - base = myconfig.env.ldap.base; + url = "ldaps://${config.myEnv.ldap.host}:636"; + dn = config.myEnv.ldap.replication_dn; + password = config.myEnv.ldap.replication_pw; + base = config.myEnv.ldap.base; }; }; }; diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index bf4cefb..172e4be 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -1,19 +1,19 @@ { privateFiles }: -{ config, pkgs, myconfig, ... }: +{ config, pkgs, ... }: { boot.kernelPackages = pkgs.linuxPackages_latest; - _module.args.privateFiles = privateFiles; - _module.args.hostFQDN = "eldiron.immae.eu"; + myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + hostEnv.FQDN = "eldiron.immae.eu"; networking = { firewall.enable = true; # 176.9.151.89 declared in nixops -> infra / tools interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips); + (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.myEnv.servers.eldiron.ips); interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - myconfig.env.servers.eldiron.ips); + config.myEnv.servers.eldiron.ips); }; imports = builtins.attrValues (import ../..); @@ -40,9 +40,9 @@ deployment = { targetEnv = "hetzner"; hetzner = { - robotUser = myconfig.env.hetzner.user; - robotPass = myconfig.env.hetzner.pass; - mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4; + robotUser = config.myEnv.hetzner.user; + robotPass = config.myEnv.hetzner.pass; + mainIPv4 = config.myEnv.servers.eldiron.ips.main.ip4; partitions = '' clearpart --all --initlabel --drives=sda,sdb diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index b345e5a..c4f065b 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -1,10 +1,10 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.tasks; server_vardir = config.services.taskserver.dataDir; fqdn = "task.immae.eu"; user = config.services.taskserver.user; - env = myconfig.env.tools.task; + env = config.myEnv.tools.task; group = config.services.taskserver.group; taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} '' mkdir -p $out/bin @@ -107,7 +107,7 @@ in { SetEnv TASKD_LDAP_DN "${env.ldap.dn}" SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}" SetEnv TASKD_LDAP_BASE "${env.ldap.base}" - SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" + SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}" ''; }]; services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ]; diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix index 7aadf58..7e12b38 100644 --- a/modules/private/websites/aten/integration.nix +++ b/modules/private/websites/aten/integration.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - secrets = myconfig.env.websites.aten.integration; + secrets = config.myEnv.websites.aten.integration; app = pkgs.webapps.aten.override { environment = secrets.environment; }; cfg = config.myServices.websites.aten.integration; pcfg = config.services.phpApplication; @@ -39,10 +39,15 @@ in { user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; - text = '' + text = let + # cf: + # https://secure.php.net/manual/fr/function.parse-url.php + # vendor/doctrine/dbal/lib/Doctrine/DBAL/DriverManager.php#parseDatabaseUrlQuery + psql_url = with secrets.postgresql; "pdo-pgsql://${user}:${password}@invalid:${port}/${database}?host=${socket}"; + in '' SetEnv APP_ENV "${app.environment}" SetEnv APP_SECRET "${secrets.secret}" - SetEnv DATABASE_URL "${secrets.psql_url}" + SetEnv DATABASE_URL "${psql_url}" ''; }]; services.websites.env.integration.vhostConfs.aten_dev = { diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix index 16a909a..1f72e61 100644 --- a/modules/private/websites/aten/production.nix +++ b/modules/private/websites/aten/production.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - secrets = myconfig.env.websites.aten.production; + secrets = config.myEnv.websites.aten.production; app = pkgs.webapps.aten.override { environment = secrets.environment; }; cfg = config.myServices.websites.aten.production; pcfg = config.services.phpApplication; @@ -41,10 +41,15 @@ in { user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; permissions = "0400"; - text = '' + text = let + # cf: + # https://secure.php.net/manual/fr/function.parse-url.php + # vendor/doctrine/dbal/lib/Doctrine/DBAL/DriverManager.php#parseDatabaseUrlQuery + psql_url = with secrets.postgresql; "pdo-pgsql://${user}:${password}@invalid:${port}/${database}?host=${socket}"; + in '' SetEnv APP_ENV "${app.environment}" SetEnv APP_SECRET "${secrets.secret}" - SetEnv DATABASE_URL "${secrets.psql_url}" + SetEnv DATABASE_URL "${psql_url}" ''; }]; services.websites.env.production.vhostConfs.aten_prod = { diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix index 995e2cc..044ff1d 100644 --- a/modules/private/websites/capitaines/production.nix +++ b/modules/private/websites/capitaines/production.nix @@ -1,7 +1,7 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.capitaines.production; - env = myconfig.env.websites.capitaines; + env = config.myEnv.websites.capitaines; webappName = "capitaines_mastodon"; root = "/run/current-system/webapps/${webappName}"; siteDir = ./mastodon_static; diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix index f65e9a9..f21caeb 100644 --- a/modules/private/websites/chloe/builder.nix +++ b/modules/private/websites/chloe/builder.nix @@ -39,10 +39,10 @@ rec { SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" - SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}" + SetEnv SPIP_LDAP_SEARCH "${config.ldap.filter}" SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" - SetEnv SPIP_MYSQL_DB "${config.mysql.name}" + SetEnv SPIP_MYSQL_DB "${config.mysql.database}" SetEnv SPIP_MYSQL_USER "${config.mysql.user}" SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" ''; diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index 00c76a5..273d1fc 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let chloe = pkgs.callPackage ./builder.nix { inherit (pkgs.webapps) chloe; - config = myconfig.env.websites.chloe.integration; + config = config.myEnv.websites.chloe.integration; apacheUser = config.services.httpd.Inte.user; apacheGroup = config.services.httpd.Inte.group; }; diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 0562de8..3d267f2 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let chloe = pkgs.callPackage ./builder.nix { inherit (pkgs.webapps) chloe; - config = myconfig.env.websites.chloe.production; + config = config.myEnv.websites.chloe.production; apacheUser = config.services.httpd.Prod.user; apacheGroup = config.services.httpd.Prod.group; }; diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 54dbf54..c0f7445 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - secrets = myconfig.env.websites.connexionswing.integration; + secrets = config.myEnv.websites.connexionswing.integration; app = pkgs.webapps.connexionswing.override { environment = secrets.environment; }; cfg = config.myServices.websites.connexionswing.integration; pcfg = config.services.phpApplication; @@ -50,7 +50,7 @@ in { parameters: database_host: ${secrets.mysql.host} database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.name} + database_name: ${secrets.mysql.database} database_user: ${secrets.mysql.user} database_password: ${secrets.mysql.password} database_server_version: ${pkgs.mariadb.mysqlVersion} diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index af37e29..fa31931 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - secrets = myconfig.env.websites.connexionswing.production; + secrets = config.myEnv.websites.connexionswing.production; app = pkgs.webapps.connexionswing.override { environment = secrets.environment; }; cfg = config.myServices.websites.connexionswing.production; pcfg = config.services.phpApplication; @@ -52,7 +52,7 @@ in { parameters: database_host: ${secrets.mysql.host} database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.name} + database_name: ${secrets.mysql.database} database_user: ${secrets.mysql.user} database_password: ${secrets.mysql.password} database_server_version: ${pkgs.mariadb.mysqlVersion} diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 87fdd73..16f02a7 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let www_root = "/run/current-system/webapps/_www"; theme_root = "/run/current-system/webapps/_theme"; @@ -114,7 +114,7 @@ in AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu - AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}" + AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}" AuthType Basic AuthName "Authentification requise (Acces LDAP)" AuthBasicProvider ldap @@ -154,7 +154,7 @@ in adminAddr = "httpd@immae.eu"; httpdName = "Prod"; ips = - let ips = myconfig.env.servers.eldiron.ips.production; + let ips = config.myEnv.servers.eldiron.ips.production; in [ips.ip4] ++ (ips.ip6 or []); modules = makeModules; extraConfig = makeExtraConfig; @@ -171,7 +171,7 @@ in adminAddr = "httpd@immae.eu"; httpdName = "Inte"; ips = - let ips = myconfig.env.servers.eldiron.ips.integration; + let ips = config.myEnv.servers.eldiron.ips.integration; in [ips.ip4] ++ (ips.ip6 or []); modules = makeModules; extraConfig = makeExtraConfig; @@ -188,7 +188,7 @@ in adminAddr = "httpd@immae.eu"; httpdName = "Tools"; ips = - let ips = myconfig.env.servers.eldiron.ips.main; + let ips = config.myEnv.servers.eldiron.ips.main; in [ips.ip4] ++ (ips.ip6 or []); modules = makeModules; extraConfig = makeExtraConfig ++ diff --git a/modules/private/websites/denisejerome/production.nix b/modules/private/websites/denisejerome/production.nix index f93ad37..481df5b 100644 --- a/modules/private/websites/denisejerome/production.nix +++ b/modules/private/websites/denisejerome/production.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.denisejerome.production; varDir = "/var/lib/ftp/denisejerome"; - env = myconfig.env.websites.denisejerome; + env = config.myEnv.websites.denisejerome; in { options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website"; diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix index 5bf39c9..71b97dd 100644 --- a/modules/private/websites/emilia/production.nix +++ b/modules/private/websites/emilia/production.nix @@ -1,7 +1,7 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.emilia.production; - env = myconfig.env.websites.emilia; + env = config.myEnv.websites.emilia; varDir = "/var/lib/moodle"; siteDir = ./moodle; webappName = "emilia_moodle"; diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index e6e16fa..4e5f7d4 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix @@ -1,7 +1,7 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let adminer = pkgs.callPackage ../commons/adminer.nix {}; - secrets = myconfig.env.websites.tellesflorian.integration; + secrets = config.myEnv.websites.tellesflorian.integration; app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; cfg = config.myServices.websites.florian.app; pcfg = config.services.phpApplication; @@ -58,7 +58,7 @@ in { parameters: database_host: ${secrets.mysql.host} database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.name} + database_name: ${secrets.mysql.database} database_user: ${secrets.mysql.user} database_password: ${secrets.mysql.password} mailer_transport: smtp diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix index e444e69..00de761 100644 --- a/modules/private/websites/florian/integration.nix +++ b/modules/private/websites/florian/integration.nix @@ -1,9 +1,9 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let adminer = pkgs.callPackage ../commons/adminer.nix {}; cfg = config.myServices.websites.florian.integration; varDir = "/var/lib/ftp/florian"; - env = myconfig.env.websites.florian; + env = config.myEnv.websites.florian; in { options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix index 44a262e..8d3dfb0 100644 --- a/modules/private/websites/florian/production.nix +++ b/modules/private/websites/florian/production.nix @@ -1,9 +1,9 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let adminer = pkgs.callPackage ../commons/adminer.nix {}; cfg = config.myServices.websites.florian.production; varDir = "/var/lib/ftp/florian"; - env = myconfig.env.websites.florian; + env = config.myEnv.websites.florian; in { options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; diff --git a/modules/private/websites/immae/production.nix b/modules/private/websites/immae/production.nix index 3b2301a..12d6ddb 100644 --- a/modules/private/websites/immae/production.nix +++ b/modules/private/websites/immae/production.nix @@ -1,10 +1,10 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.immae.production; varDir = "/var/lib/buildbot/outputs/immaeEu"; coursDir = "/var/lib/buildbot/outputs/cours"; rechercheDir = "/var/lib/buildbot/outputs/recherche"; - env = myconfig.env.websites.immae; + env = config.myEnv.websites.immae; in { options.myServices.websites.immae.production.enable = lib.mkEnableOption "enable Immae's website"; diff --git a/modules/private/websites/immae/release.nix b/modules/private/websites/immae/release.nix index 5cc35ee..a503c90 100644 --- a/modules/private/websites/immae/release.nix +++ b/modules/private/websites/immae/release.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.immae.release; varDir = "/var/lib/ftp/release.immae.eu"; - env = myconfig.env.websites.release; + env = config.myEnv.websites.release; in { options.myServices.websites.immae.release.enable = lib.mkEnableOption "enable Release' website"; diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix index 288c8cc..b3b28cc 100644 --- a/modules/private/websites/immae/temp.nix +++ b/modules/private/websites/immae/temp.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.immae.temp; varDir = "/var/lib/ftp/temp.immae.eu"; - env = myconfig.env.websites.temp; + env = config.myEnv.websites.temp; in { options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website"; diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index 5d9afc1..d6459b0 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - secrets = myconfig.env.websites.ludivinecassal.integration; + secrets = config.myEnv.websites.ludivinecassal.integration; app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; }; cfg = config.myServices.websites.ludivinecassal.integration; pcfg = config.services.phpApplication; @@ -48,7 +48,7 @@ in { parameters: database_host: ${secrets.mysql.host} database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.name} + database_name: ${secrets.mysql.database} database_user: ${secrets.mysql.user} database_password: ${secrets.mysql.password} database_server_version: ${pkgs.mariadb.mysqlVersion} @@ -66,7 +66,7 @@ in { ldap_base_dn: 'dc=immae,dc=eu' ldap_search_dn: '${secrets.ldap.dn}' ldap_search_password: '${secrets.ldap.password}' - ldap_search_filter: '${secrets.ldap.search}' + ldap_search_filter: '${secrets.ldap.filter}' leapt_im: binary_path: ${pkgs.imagemagick}/bin assetic: diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 1a8b958..c6f0cf3 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - secrets = myconfig.env.websites.ludivinecassal.production; + secrets = config.myEnv.websites.ludivinecassal.production; app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; }; pcfg = config.services.phpApplication; cfg = config.myServices.websites.ludivinecassal.production; @@ -50,7 +50,7 @@ in { parameters: database_host: ${secrets.mysql.host} database_port: ${secrets.mysql.port} - database_name: ${secrets.mysql.name} + database_name: ${secrets.mysql.database} database_user: ${secrets.mysql.user} database_password: ${secrets.mysql.password} database_server_version: ${pkgs.mariadb.mysqlVersion} @@ -68,7 +68,7 @@ in { ldap_base_dn: 'dc=immae,dc=eu' ldap_search_dn: '${secrets.ldap.dn}' ldap_search_password: '${secrets.ldap.password}' - ldap_search_filter: '${secrets.ldap.search}' + ldap_search_filter: '${secrets.ldap.filter}' leapt_im: binary_path: ${pkgs.imagemagick}/bin assetic: diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix index f2a4142..f9468f9 100644 --- a/modules/private/websites/nassime/production.nix +++ b/modules/private/websites/nassime/production.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.websites.nassime.production; varDir = "/var/lib/ftp/nassime"; - env = myconfig.env.websites.nassime; + env = config.myEnv.websites.nassime; in { options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website"; diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix index 93940d5..628e129 100644 --- a/modules/private/websites/naturaloutil/production.nix +++ b/modules/private/websites/naturaloutil/production.nix @@ -1,9 +1,9 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let adminer = pkgs.callPackage ../commons/adminer.nix {}; cfg = config.myServices.websites.naturaloutil.production; varDir = "/var/lib/ftp/jerome"; - env = myconfig.env.websites.jerome; + env = config.myEnv.websites.jerome; in { options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website"; @@ -21,7 +21,7 @@ in { '${env.redis.socket}', 'port' => 0, - 'dbindex' => ${env.redis.db_index}, + 'dbindex' => ${env.redis.db}, ), 'overwrite.cli.url' => 'https://cloud.immae.eu', 'ldapIgnoreNamingRules' => false, diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 98cebee..2a02f5e 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix @@ -32,16 +32,16 @@ rec { $c->authenticate_hook['optional'] = false; $c->authenticate_hook['call'] = 'LDAP_check'; $c->authenticate_hook['config'] = array( - 'host' => 'ldap.immae.eu', + 'host' => '${env.ldap.host}', 'port' => '389', 'startTLS' => 'yes', - 'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu', + 'bindDN'=> '${env.ldap.dn}', 'passDN'=> '${env.ldap.password}', 'protocolVersion' => '3', - 'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'), - 'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu', - 'baseDNGroups' => 'ou=groups,dc=immae,dc=eu', - 'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu', + 'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'), + 'filterUsers' => '${env.ldap.filter}', + 'baseDNGroups' => 'ou=groups,${env.ldap.base}', + 'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}', 'mapping_field' => array( "username" => "uid", "fullname" => "cn", diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index 5a0f470..d30c04a 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let infcloud = rec { webappName = "tools_infcloud"; @@ -16,7 +16,7 @@ let ''; }; davical = pkgs.callPackage ./davical.nix { - env = myconfig.env.tools.davical; + env = config.myEnv.tools.davical; inherit (pkgs.webapps) davical awl; }; diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 20ae055..4fe4115 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - env = myconfig.env.tools.diaspora; + env = config.myEnv.tools.diaspora; root = "/run/current-system/webapps/tools_diaspora"; cfg = config.myServices.websites.tools.diaspora; dcfg = config.services.diaspora; @@ -26,7 +26,7 @@ in { environment: url: "https://diaspora.immae.eu/" certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt' - redis: '${env.redis_url}' + redis: 'redis://${env.redis.host}:${env.redis.port}/${env.redis.db}' sidekiq: s3: assets: @@ -79,16 +79,16 @@ in { inbound: ldap: enable: true - host: ldap.immae.eu + host: ${env.ldap.host} port: 636 only_ldap: true mail_attribute: mail skip_email_confirmation: true use_bind_dn: true - bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu" + bind_dn: "${env.ldap.dn}" bind_pw: "${env.ldap.password}" - search_base: "dc=immae,dc=eu" - search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))" + search_base: "${env.ldap.base}" + search_filter: "${env.ldap.filter}" production: environment: development: diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index 62a1691..1c56ed7 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - env = myconfig.env.tools.etherpad-lite; + env = config.myEnv.tools.etherpad-lite; cfg = config.myServices.websites.tools.etherpad-lite; # Make sure we’re not rebuilding whole libreoffice just because of a # dependency @@ -89,15 +89,15 @@ in { "ldapauth": { "url": "ldaps://${env.ldap.host}", "accountBase": "${env.ldap.base}", - "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", + "accountPattern": "${env.ldap.filter}", "displayNameAttribute": "cn", - "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", + "searchDN": "${env.ldap.dn}", "searchPWD": "${env.ldap.password}", "groupSearchBase": "${env.ldap.base}", "groupAttribute": "member", "groupAttributeIsDN": true, "searchScope": "sub", - "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", + "groupSearch": "${env.ldap.group_filter}", "anonymousReadonly": false } }, @@ -155,7 +155,7 @@ in { RewriteEngine On - RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" + RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}" RewriteCond %{QUERY_STRING} "!noredirect" RewriteCond %{REQUEST_URI} "^(.*)$" RewriteCond ''${redirects:$1|Unknown} "!Unknown" diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index d66d151..a5f525b 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let mantisbt = pkgs.callPackage ./mantisbt.nix { inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; - env = myconfig.env.tools.mantisbt; + env = config.myEnv.tools.mantisbt; }; gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.myServices.gitolite.gitoliteDir; diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index a1b830e..d0d7a98 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix @@ -35,15 +35,15 @@ rec { # --- LDAP --- $g_login_method = LDAP; $g_ldap_protocol_version = 3; - $g_ldap_server = 'ldaps://ldap.immae.eu:636'; - $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu'; - $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu'; + $g_ldap_server = 'ldaps://${env.ldap.host}:636'; + $g_ldap_root_dn = 'ou=users,${env.ldap.base}'; + $g_ldap_bind_dn = '${env.ldap.dn}'; $g_ldap_bind_passwd = '${env.ldap.password}'; $g_use_ldap_email = ON; $g_use_ldap_realname = ON; $g_ldap_uid_field = 'uid'; $g_ldap_realname_field = 'cn'; - $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)'; + $g_ldap_organization = '${env.ldap.filter}'; ''; }]; webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (builtins.attrValues mantisbt_2-plugins); diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index 218c3a5..6342694 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix @@ -1,8 +1,8 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let roundcubemail = pkgs.callPackage ./roundcubemail.nix { inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins; - env = myconfig.env.tools.roundcubemail; + env = config.myEnv.tools.roundcubemail; }; rainloop = pkgs.callPackage ./rainloop.nix {}; cfg = config.myServices.websites.tools.email; diff --git a/modules/private/websites/tools/mail/mta-sts.nix b/modules/private/websites/tools/mail/mta-sts.nix index d443f55..a401b41 100644 --- a/modules/private/websites/tools/mail/mta-sts.nix +++ b/modules/private/websites/tools/mail/mta-sts.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let domains = (lib.remove null (lib.flatten (map (zone: map @@ -11,7 +11,7 @@ let ) (zone.withEmail or []) ) - myconfig.env.dns.masterZones + config.myEnv.dns.masterZones ))); # FIXME: increase the id number in modules/private/dns.nix when this # file change (date -u +'%Y%m%d%H%M%S'Z) diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 8bb60d6..35de312 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix @@ -14,9 +14,12 @@ rec { user = apache.user; group = apache.group; permissions = "0400"; - text = '' + text = + let + psql_url = with env.postgresql; "pgsql://${user}:${password}@unix(${socket}:${port})/${database}"; + in '' "mail.immae.eu" diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index 97f2452..80d7431 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - env = myconfig.env.tools.mastodon; + env = config.myEnv.tools.mastodon; root = "/run/current-system/webapps/tools_mastodon"; cfg = config.myServices.websites.tools.mastodon; mcfg = config.services.mastodon; @@ -50,14 +50,14 @@ in { # LDAP authentication (optional) LDAP_ENABLED=true - LDAP_HOST=ldap.immae.eu + LDAP_HOST=${env.ldap.host} LDAP_PORT=636 LDAP_METHOD=simple_tls - LDAP_BASE="dc=immae,dc=eu" - LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" + LDAP_BASE="${env.ldap.base}" + LDAP_BIND_DN="${env.ldap.dn}" LDAP_PASSWORD="${env.ldap.password}" LDAP_UID="uid" - LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" + LDAP_SEARCH_FILTER="${env.ldap.filter}" ''; }]; services.mastodon = { diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index aeae893..5224a0d 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - env = myconfig.env.tools.mediagoblin; + env = config.myEnv.tools.mediagoblin; cfg = config.myServices.websites.tools.mediagoblin; mcfg = config.services.mediagoblin; in { @@ -17,7 +17,12 @@ in { user = "mediagoblin"; group = "mediagoblin"; permissions = "0400"; - text = '' + text = + let + psql_url = with env.postgresql; "postgresql://${user}:${password}@:${port}/${database}?host=${socket}"; + redis_url = with env.redis; "redis+socket://${socket}?virtual_host=${db}"; + in + '' [DEFAULT] data_basedir = "${mcfg.dataDir}" @@ -26,7 +31,7 @@ in { email_sender_address = "mediagoblin@tools.immae.eu" #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db - sql_engine = ${env.psql_url} + sql_engine = ${psql_url} email_debug_mode = false allow_registration = false @@ -52,19 +57,19 @@ in { base_url = /mgoblin_media/ [celery] - CELERY_RESULT_DBURI = ${env.redis_url} - BROKER_URL = ${env.redis_url} + CELERY_RESULT_DBURI = ${redis_url} + BROKER_URL = ${redis_url} CELERYD_CONCURRENCY = 1 [plugins] [[mediagoblin.plugins.geolocation]] [[mediagoblin.plugins.ldap]] [[[immae.eu]]] - LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' - LDAP_SEARCH_BASE = 'dc=immae,dc=eu' - LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' + LDAP_SERVER_URI = 'ldaps://${env.ldap.host}:636' + LDAP_SEARCH_BASE = '${env.ldap.base}' + LDAP_BIND_DN = '${env.ldap.dn}' LDAP_BIND_PW = '${env.ldap.password}' - LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' + LDAP_SEARCH_FILTER = '${env.ldap.filter}' EMAIL_SEARCH_FIELD = 'mail' [[mediagoblin.plugins.basicsearch]] [[mediagoblin.plugins.piwigo]] diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index 6739641..0bacfd1 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix @@ -1,6 +1,6 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let - env = myconfig.env.tools.peertube; + env = config.myEnv.tools.peertube; cfg = config.myServices.websites.tools.peertube; pcfg = config.services.peertube; in { @@ -27,7 +27,7 @@ in { text = '' listen: hostname: 'localhost' - port: ${env.listenPort} + port: ${toString config.myEnv.ports.peertube} webserver: https: true hostname: 'peertube.immae.eu' @@ -45,7 +45,7 @@ in { redis: socket: '${env.redis.socket}' auth: null - db: ${env.redis.db_index} + db: ${env.redis.db} ldap: enable: true ldap_only: false @@ -171,13 +171,13 @@ in { RewriteCond %{REQUEST_URI} ^/socket.io [NC] RewriteCond %{QUERY_STRING} transport=websocket [NC] - RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L] + RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L] RewriteCond %{REQUEST_URI} ^/tracker/socket [NC] - RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L] + RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L] - ProxyPass / http://localhost:${env.listenPort}/ - ProxyPassReverse / http://localhost:${env.listenPort}/ + ProxyPass / http://localhost:${toString env.listenPort}/ + ProxyPassReverse / http://localhost:${toString env.listenPort}/ ProxyPreserveHost On RequestHeader set X-Real-IP %{REMOTE_ADDR}s diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 3cf3e8e..5a0c196 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -1,39 +1,39 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let adminer = pkgs.callPackage ./adminer.nix { inherit (pkgs.webapps) adminer; }; ympd = pkgs.callPackage ./ympd.nix { - env = myconfig.env.tools.ympd; + env = config.myEnv.tools.ympd; }; ttrss = pkgs.callPackage ./ttrss.nix { inherit (pkgs.webapps) ttrss ttrss-plugins; - env = myconfig.env.tools.ttrss; + env = config.myEnv.tools.ttrss; }; kanboard = pkgs.callPackage ./kanboard.nix { - env = myconfig.env.tools.kanboard; + env = config.myEnv.tools.kanboard; }; wallabag = pkgs.callPackage ./wallabag.nix { inherit (pkgs.webapps) wallabag; - env = myconfig.env.tools.wallabag; + env = config.myEnv.tools.wallabag; }; yourls = pkgs.callPackage ./yourls.nix { inherit (pkgs.webapps) yourls yourls-plugins; - env = myconfig.env.tools.yourls; + env = config.myEnv.tools.yourls; }; rompr = pkgs.callPackage ./rompr.nix { inherit (pkgs.webapps) rompr; - env = myconfig.env.tools.rompr; + env = config.myEnv.tools.rompr; }; shaarli = pkgs.callPackage ./shaarli.nix { - env = myconfig.env.tools.shaarli; + env = config.myEnv.tools.shaarli; }; dokuwiki = pkgs.callPackage ./dokuwiki.nix { inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; }; ldap = pkgs.callPackage ./ldap.nix { inherit (pkgs.webapps) phpldapadmin; - env = myconfig.env.tools.phpldapadmin; + env = config.myEnv.tools.phpldapadmin; }; cfg = config.myServices.websites.tools.tools; diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 68c3a10..36a949c 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -37,8 +37,8 @@ rec { define('LDAP_USERNAME', '${env.ldap.dn}'); define('LDAP_PASSWORD', '${env.ldap.password}'); define('LDAP_USER_BASE_DN', '${env.ldap.base}'); - define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))'); - define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); + define('LDAP_USER_FILTER', '${env.ldap.filter}'); + define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}'); ?> ''; }]; diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 28041ba..0f1ae7b 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -42,7 +42,7 @@ in rec { SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}" SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}" SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" - SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" + SetEnv SHAARLI_LDAP_FILTER "${env.ldap.filter}" ''; }]; phpFpm = rec { diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index 598cc3a..4a9b8ca 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -73,14 +73,14 @@ rec { define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu'); define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours'); - define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/'); + define('LDAP_AUTH_SERVER_URI', 'ldap://${env.ldap.host}:389/'); define('LDAP_AUTH_USETLS', TRUE); define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); - define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu'); + define('LDAP_AUTH_BASEDN', '${env.ldap.base}'); define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); - define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))'); + define('LDAP_AUTH_SEARCHFILTER', '${env.ldap.filter}'); - define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu'); + define('LDAP_AUTH_BINDDN', '${env.ldap.dn}'); define('LDAP_AUTH_BINDPW', '${env.ldap.password}'); define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin'); diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 8572d64..2d152b2 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -48,16 +48,16 @@ rec { redis_password: null sites_credentials: { } ldap_enabled: true - ldap_host: ldap.immae.eu + ldap_host: ${env.ldap.host} ldap_port: 636 ldap_tls: false ldap_ssl: true ldap_bind_requires_dn: true - ldap_base: 'dc=immae,dc=eu' - ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu' + ldap_base: '${env.ldap.base}' + ldap_manager_dn: '${env.ldap.dn}' ldap_manager_pw: ${env.ldap.password} - ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))' - ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))' + ldap_filter: '${env.ldap.filter}' + ldap_admin_filter: '${env.ldap.admin_filter}' ldap_username_attribute: uid ldap_email_attribute: mail ldap_name_attribute: cn diff --git a/modules/private/websites/tools/tools/ympd.nix b/modules/private/websites/tools/tools/ympd.nix index b54c486..72d45d4 100644 --- a/modules/private/websites/tools/tools/ympd.nix +++ b/modules/private/websites/tools/tools/ympd.nix @@ -2,7 +2,7 @@ let ympd = rec { config = { - webPort = "localhost:${env.listenPort}"; + webPort = "localhost:${toString env.listenPort}"; host = env.mpd.host; port = env.mpd.port; }; diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 0a8e837..6280e78 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix @@ -28,10 +28,10 @@ rec { define( 'YOURLS_DEBUG', false ); define( 'YOURLS_URL_CONVERT', 36 ); $yourls_reserved_URL = array(); - define( 'LDAPAUTH_HOST', 'ldaps://ldap.immae.eu' ); + define( 'LDAPAUTH_HOST', 'ldaps://${env.ldap.host}' ); define( 'LDAPAUTH_PORT', '636' ); - define( 'LDAPAUTH_BASE', 'dc=immae,dc=eu' ); - define( 'LDAPAUTH_SEARCH_USER', 'cn=yourls,ou=services,dc=immae,dc=eu' ); + define( 'LDAPAUTH_BASE', '${env.ldap.base}' ); + define( 'LDAPAUTH_SEARCH_USER', '${env.ldap.dn}' ); define( 'LDAPAUTH_SEARCH_PASS', '${env.ldap.password}' ); define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); diff --git a/modules/rsync_backup/default.nix b/modules/rsync_backup/default.nix index 05177c8..dadf5e7 100644 --- a/modules/rsync_backup/default.nix +++ b/modules/rsync_backup/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let partModule = lib.types.submodule { options = { -- 2.41.0