From ce7d09efb55888501b73f9e763811deac762aed2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 13 Jun 2020 23:14:49 +0200 Subject: [PATCH] Remove gitolite password from nix store --- modules/private/gitolite/default.nix | 11 ++++++++++- modules/private/gitolite/gitolite_ldap_groups.sh | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 1549c94..e8ccc7d 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix @@ -20,6 +20,14 @@ in { }; networking.firewall.allowedTCPPorts = [ 9418 ]; + secrets.keys = [{ + dest = "gitolite/ldap_password"; + user = "gitolite"; + group = "gitolite"; + permissions = "0400"; + text = config.myEnv.tools.gitolite.ldap.password; + }]; + services.gitDaemon = { enable = true; user = "gitolite"; @@ -34,7 +42,7 @@ in { } '' makeWrapper "${./gitolite_ldap_groups.sh}" "$out" \ --prefix PATH : ${lib.makeBinPath deps} \ - --set LDAP_PASS ${pkgs.lib.escapeShellArg config.myEnv.tools.gitolite.ldap.password} + --set LDAP_PASS_PATH ${config.secrets.fullPaths."gitolite/ldap_password"} ''; in { deps = [ "users" ]; @@ -50,6 +58,7 @@ in { }; users.users.wwwrun.extraGroups = [ "gitolite" ]; + users.users.gitolite.extraGroups = [ "keys" ]; users.users.gitolite.packages = let python-packages = python-packages: with python-packages; [ diff --git a/modules/private/gitolite/gitolite_ldap_groups.sh b/modules/private/gitolite/gitolite_ldap_groups.sh index 7db0da4..3d7117e 100755 --- a/modules/private/gitolite/gitolite_ldap_groups.sh +++ b/modules/private/gitolite/gitolite_ldap_groups.sh @@ -3,7 +3,7 @@ uid_param="$1" ldap_host="ldap.immae.eu" ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu" -ldap_bindpw="$LDAP_PASS" +ldap_bindpw="$(cat $LDAP_PASS_PATH)" ldap_searchbase="dc=immae,dc=eu" ldap_scope="subtree" -- 2.41.0