aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-16 17:40:07 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-16 20:20:45 +0200
commit4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 (patch)
tree9a7ede9ac3f1899074e9ef568a447f883191d3b5
parentda30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (diff)
downloadNix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.gz
Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.zst
Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.zip
Use attrs for secrets instead of lists
Diffstat
-rw-r--r--flakes/private/openarc/flake.lock2
-rw-r--r--flakes/private/opendmarc/flake.lock2
-rw-r--r--flakes/private/opendmarc/flake.nix9
-rw-r--r--flakes/secrets/flake.nix49
-rw-r--r--modules/duply_backup/default.nix19
-rw-r--r--modules/naemon/default.nix9
-rw-r--r--modules/private/buildbot/default.nix36
-rw-r--r--modules/private/databases/mariadb.nix19
-rw-r--r--modules/private/databases/mariadb_replication.nix24
-rw-r--r--modules/private/databases/openldap/default.nix19
-rw-r--r--modules/private/databases/openldap_replication.nix14
-rw-r--r--modules/private/databases/postgresql.nix14
-rw-r--r--modules/private/databases/postgresql_replication.nix19
-rw-r--r--modules/private/databases/redis.nix14
-rw-r--r--modules/private/databases/redis_replication.nix14
-rw-r--r--modules/private/dns.nix5
-rw-r--r--modules/private/ejabberd/default.nix14
-rw-r--r--modules/private/ftp.nix5
-rw-r--r--modules/private/gitolite/default.nix5
-rw-r--r--modules/private/mail/dovecot.nix45
-rw-r--r--modules/private/mail/milters.nix19
-rw-r--r--modules/private/mail/opensmtpd.nix19
-rw-r--r--modules/private/mail/postfix.nix42
-rw-r--r--modules/private/mail/relay.nix24
-rw-r--r--modules/private/mail/sympa.nix17
-rw-r--r--modules/private/monitoring/default.nix13
-rw-r--r--modules/private/monitoring/status.nix19
-rw-r--r--modules/private/monitoring/status_engine.nix5
-rw-r--r--modules/private/mpd.nix14
-rw-r--r--modules/private/ssh/default.nix5
-rw-r--r--modules/private/system/backup-2.nix14
-rw-r--r--modules/private/system/eldiron.nix14
-rw-r--r--modules/private/system/monitoring-1.nix9
-rw-r--r--modules/private/system/quatresaisons.nix14
-rw-r--r--modules/private/system/quatresaisons/databases.nix14
-rw-r--r--modules/private/tasks/default.nix10
-rw-r--r--modules/private/vpn/default.nix14
-rw-r--r--modules/private/websites/chloe/integration.nix43
-rw-r--r--modules/private/websites/chloe/production.nix43
-rw-r--r--modules/private/websites/connexionswing/integration.nix47
-rw-r--r--modules/private/websites/connexionswing/production.nix55
-rw-r--r--modules/private/websites/default.nix5
-rw-r--r--modules/private/websites/florian/app.nix14
-rw-r--r--modules/private/websites/immae/temp.nix33
-rw-r--r--modules/private/websites/isabelle/aten_integration.nix5
-rw-r--r--modules/private/websites/isabelle/aten_production.nix5
-rw-r--r--modules/private/websites/isabelle/iridologie.nix43
-rw-r--r--modules/private/websites/jerome/naturaloutil.nix5
-rw-r--r--modules/private/websites/ludivine/integration.nix73
-rw-r--r--modules/private/websites/ludivine/production.nix73
-rw-r--r--modules/private/websites/piedsjaloux/integration.nix49
-rw-r--r--modules/private/websites/piedsjaloux/production.nix49
-rw-r--r--modules/private/websites/richie/production.nix5
-rw-r--r--modules/private/websites/syden/peertube.nix5
-rw-r--r--modules/private/websites/tools/cloud/default.nix5
-rw-r--r--modules/private/websites/tools/commento/default.nix11
-rw-r--r--modules/private/websites/tools/dav/davical.nix5
-rw-r--r--modules/private/websites/tools/diaspora/default.nix24
-rw-r--r--modules/private/websites/tools/ether/default.nix19
-rw-r--r--modules/private/websites/tools/git/mantisbt.nix5
-rw-r--r--modules/private/websites/tools/mail/roundcubemail.nix5
-rw-r--r--modules/private/websites/tools/mastodon/default.nix5
-rw-r--r--modules/private/websites/tools/mgoblin/default.nix5
-rw-r--r--modules/private/websites/tools/peertube/default.nix5
-rw-r--r--modules/private/websites/tools/performance/default.nix9
-rw-r--r--modules/private/websites/tools/stats/default.nix9
-rw-r--r--modules/private/websites/tools/tools/csp_reports.nix5
-rw-r--r--modules/private/websites/tools/tools/default.nix16
-rw-r--r--modules/private/websites/tools/tools/dmarc_reports.nix5
-rw-r--r--modules/private/websites/tools/tools/kanboard.nix5
-rw-r--r--modules/private/websites/tools/tools/ldap.nix5
-rw-r--r--modules/private/websites/tools/tools/shaarli.nix5
-rw-r--r--modules/private/websites/tools/tools/ttrss.nix5
-rw-r--r--modules/private/websites/tools/tools/wallabag.nix5
-rw-r--r--modules/private/websites/tools/tools/webhooks.nix19
-rw-r--r--modules/private/websites/tools/tools/yourls.nix5
-rw-r--r--modules/zrepl.nix9
77 files changed, 617 insertions, 729 deletions
diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock
index 744d002..be75993 100644
--- a/flakes/private/openarc/flake.lock
+++ b/flakes/private/openarc/flake.lock
@@ -146,7 +146,7 @@
146 }, 146 },
147 "secrets": { 147 "secrets": {
148 "locked": { 148 "locked": {
149 "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", 149 "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=",
150 "path": "../../secrets", 150 "path": "../../secrets",
151 "type": "path" 151 "type": "path"
152 }, 152 },
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock
index bd5019c..f40e1a9 100644
--- a/flakes/private/opendmarc/flake.lock
+++ b/flakes/private/opendmarc/flake.lock
@@ -129,7 +129,7 @@
129 }, 129 },
130 "secrets": { 130 "secrets": {
131 "locked": { 131 "locked": {
132 "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", 132 "narHash": "sha256-w3u1bMEJHCg9SqErJ5Qi0sTX2xx7mk+HrHZXzpjQd1w=",
133 "path": "../../secrets", 133 "path": "../../secrets",
134 "type": "path" 134 "type": "path"
135 }, 135 },
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix
index 2b73070..e2575e7 100644
--- a/flakes/private/opendmarc/flake.nix
+++ b/flakes/private/opendmarc/flake.nix
@@ -53,9 +53,8 @@
53 config.secrets.fullPaths."opendmarc/ignore.hosts" 53 config.secrets.fullPaths."opendmarc/ignore.hosts"
54 ]; 54 ];
55 }; 55 };
56 secrets.keys = [ 56 secrets.keys = {
57 { 57 "opendmarc/ignore.hosts" = {
58 dest = "opendmarc/ignore.hosts";
59 user = config.services.opendmarc.user; 58 user = config.services.opendmarc.user;
60 group = config.services.opendmarc.group; 59 group = config.services.opendmarc.group;
61 permissions = "0400"; 60 permissions = "0400";
@@ -67,8 +66,8 @@
67 builtins.concatStringsSep "\n" ([ 66 builtins.concatStringsSep "\n" ([
68 config.myEnv.mail.dmarc.ignore_hosts 67 config.myEnv.mail.dmarc.ignore_hosts
69 ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); 68 ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
70 } 69 };
71 ]; 70 };
72 }; 71 };
73 }; 72 };
74 in 73 in
diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix
index 0ee6a40..ef74a30 100644
--- a/flakes/secrets/flake.nix
+++ b/flakes/secrets/flake.nix
@@ -5,9 +5,42 @@
5 nixosModule = { config, lib, pkgs, ... }: { 5 nixosModule = { config, lib, pkgs, ... }: {
6 options.secrets = with lib; { 6 options.secrets = with lib; {
7 keys = mkOption { 7 keys = mkOption {
8 type = types.listOf types.unspecified; 8 type = types.attrsOf (types.submodule {
9 default = []; 9 options = {
10 description = "Keys to upload to server"; 10 isTemplated = mkOption {
11 type = types.bool;
12 default = true;
13 description = "If the file is a gucci template that needs to be resolved";
14 };
15 isDir = mkOption {
16 type = types.bool;
17 default = false;
18 description = "If the entry is a directory";
19 };
20 group = mkOption {
21 type = types.str;
22 default = "root";
23 description = "Group to associate to the entry";
24 };
25 user = mkOption {
26 type = types.str;
27 default = "root";
28 description = "User to associate to the entry";
29 };
30 permissions = mkOption {
31 type = types.str;
32 default = "0600";
33 description = "Permissions to associate to the entry";
34 };
35 text = mkOption {
36 type = types.str;
37 description = "Content of the entry";
38 };
39 };
40 });
41 default = {};
42 description = "Keys attrs to upload to the server";
43 apply = lib.mapAttrsToList (dest: v: v // { inherit dest; });
11 }; 44 };
12 gpgKeys = mkOption { 45 gpgKeys = mkOption {
13 type = types.listOf types.path; 46 type = types.listOf types.path;
@@ -52,20 +85,20 @@
52 location = config.secrets.location; 85 location = config.secrets.location;
53 keys = config.secrets.keys; 86 keys = config.secrets.keys;
54 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; 87 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
55 fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; 88 fpath = v: "secrets/${v.dest}${lib.optionalString v.isTemplated ".gucci.tpl"}";
56 dumpKey = v: 89 dumpKey = v:
57 if v.isDir or false then 90 if v.isDir then
58 '' 91 ''
59 mkdir -p secrets/${v.dest} 92 mkdir -p secrets/${v.dest}
60 cat >> mods <<EOF 93 cat >> mods <<EOF
61 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest} 94 ${v.user} ${v.group} ${v.permissions} secrets/${v.dest}
62 EOF 95 EOF
63 '' 96 ''
64 else '' 97 else ''
65 mkdir -p secrets/$(dirname ${v.dest}) 98 mkdir -p secrets/$(dirname ${v.dest})
66 echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v} 99 echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
67 cat >> mods <<EOF 100 cat >> mods <<EOF
68 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v} 101 ${v.user} ${v.group} ${v.permissions} ${fpath v}
69 EOF 102 EOF
70 ''; 103 '';
71 secrets = pkgs.runCommand "secrets.tar.enc" { 104 secrets = pkgs.runCommand "secrets.tar.enc" {
@@ -88,7 +121,7 @@
88 ''; 121 '';
89 pathChmodExcl = 122 pathChmodExcl =
90 let 123 let
91 dirs = builtins.filter (v: v.isDir or false) keys; 124 dirs = builtins.filter (v: v.isDir) keys;
92 exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs); 125 exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs);
93 in 126 in
94 lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) "; 127 lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) ";
diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix
index 7034a91..846b1d4 100644
--- a/modules/duply_backup/default.nix
+++ b/modules/duply_backup/default.nix
@@ -75,24 +75,21 @@ in
75 system.activationScripts.backup = '' 75 system.activationScripts.backup = ''
76 install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches 76 install -m 0700 -o root -g root -d ${varDir} ${varDir}/caches
77 ''; 77 '';
78 secrets.keys = lib.flatten (lib.mapAttrsToList (k: v: 78 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (k: v:
79 map (remote: [ 79 map (remote: [
80 { 80 (lib.nameValuePair "backup/${varName k remote}/conf" {
81 permissions = "0400"; 81 permissions = "0400";
82 dest = "backup/${varName k remote}/conf";
83 text = duplyProfile v remote "${k}/"; 82 text = duplyProfile v remote "${k}/";
84 } 83 })
85 { 84 (lib.nameValuePair "backup/${varName k remote}/exclude" {
86 permissions = "0400"; 85 permissions = "0400";
87 dest = "backup/${varName k remote}/exclude";
88 text = v.excludeFile; 86 text = v.excludeFile;
89 } 87 })
90 { 88 (lib.nameValuePair "backup/${varName k remote}" {
91 permissions = "0500"; 89 permissions = "0500";
92 dest = "backup/${varName k remote}";
93 isDir = true; 90 isDir = true;
94 } 91 })
95 ]) v.remotes) config.services.duplyBackup.profiles); 92 ]) v.remotes) config.services.duplyBackup.profiles));
96 93
97 services.cron = { 94 services.cron = {
98 enable = true; 95 enable = true;
diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix
index 976de69..60a75b3 100644
--- a/modules/naemon/default.nix
+++ b/modules/naemon/default.nix
@@ -124,9 +124,8 @@ in
124 124
125 125
126 config = mkIf cfg.enable { 126 config = mkIf cfg.enable {
127 secrets.keys = [ 127 secrets.keys = {
128 { 128 "naemon/resources.cfg" = {
129 dest = "naemon/resources.cfg";
130 user = cfg.user; 129 user = cfg.user;
131 group = cfg.group; 130 group = cfg.group;
132 permissions = "0400"; 131 permissions = "0400";
@@ -134,8 +133,8 @@ in
134 $USER1$=${pkgs.monitoring-plugins}/libexec 133 $USER1$=${pkgs.monitoring-plugins}/libexec
135 ${cfg.extraResource} 134 ${cfg.extraResource}
136 ''; 135 '';
137 } 136 };
138 ]; 137 };
139 138
140 users.users = optionalAttrs (cfg.user == "naemon") { 139 users.users = optionalAttrs (cfg.user == "naemon") {
141 naemon = { 140 naemon = {
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index 903f453..dc8a0d2 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -76,33 +76,30 @@ in
76 ''; 76 '';
77 }) config.myEnv.buildbot.projects; 77 }) config.myEnv.buildbot.projects;
78 78
79 secrets.keys = ( 79 secrets.keys = lib.listToAttrs (
80 lib.lists.flatten ( 80 lib.lists.flatten (
81 lib.attrsets.mapAttrsToList (k: project: 81 lib.attrsets.mapAttrsToList (k: project:
82 lib.attrsets.mapAttrsToList (k: v: 82 lib.attrsets.mapAttrsToList (k: v:
83 { 83 (lib.nameValuePair "buildbot/${project.name}/${k}" {
84 permissions = "0600"; 84 permissions = "0600";
85 user = "buildbot"; 85 user = "buildbot";
86 group = "buildbot"; 86 group = "buildbot";
87 text = v; 87 text = v;
88 dest = "buildbot/${project.name}/${k}"; 88 })
89 }
90 ) project.secrets 89 ) project.secrets
91 ++ [ 90 ++ [
92 { 91 (lib.nameValuePair "buildbot/${project.name}/webhook-httpd-include" {
93 permissions = "0600"; 92 permissions = "0600";
94 user = "wwwrun"; 93 user = "wwwrun";
95 group = "wwwrun"; 94 group = "wwwrun";
96 text = lib.optionalString (project.webhookTokens != null) '' 95 text = lib.optionalString (project.webhookTokens != null) ''
97 Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }" 96 Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
98 ''; 97 '';
99 dest = "buildbot/${project.name}/webhook-httpd-include"; 98 })
100 } 99 (lib.nameValuePair "buildbot/${project.name}/environment_file" {
101 {
102 permissions = "0600"; 100 permissions = "0600";
103 user = "buildbot"; 101 user = "buildbot";
104 group = "buildbot"; 102 group = "buildbot";
105 dest = "buildbot/${project.name}/environment_file";
106 text = let 103 text = let
107 project_env = with lib.attrsets; 104 project_env = with lib.attrsets;
108 mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment // 105 mapAttrs' (k: v: nameValuePair "BUILDBOT_${k}" v) project.environment //
@@ -115,33 +112,30 @@ in
115 }; 112 };
116 in builtins.concatStringsSep "\n" 113 in builtins.concatStringsSep "\n"
117 (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env); 114 (lib.mapAttrsToList (envK: envV: "${envK}=${envV}") project_env);
118 } 115 })
119 ] 116 ]
120 ) config.myEnv.buildbot.projects 117 ) config.myEnv.buildbot.projects
121 ) 118 )
122 ) ++ [ 119 ) // {
123 { 120 "buildbot/ldap" = {
124 permissions = "0600"; 121 permissions = "0600";
125 user = "buildbot"; 122 user = "buildbot";
126 group = "buildbot"; 123 group = "buildbot";
127 text = config.myEnv.buildbot.ldap.password; 124 text = config.myEnv.buildbot.ldap.password;
128 dest = "buildbot/ldap"; 125 };
129 } 126 "buildbot/worker_password" = {
130 {
131 permissions = "0600"; 127 permissions = "0600";
132 user = "buildbot"; 128 user = "buildbot";
133 group = "buildbot"; 129 group = "buildbot";
134 text = config.myEnv.buildbot.workerPassword; 130 text = config.myEnv.buildbot.workerPassword;
135 dest = "buildbot/worker_password"; 131 };
136 } 132 "buildbot/ssh_key" = {
137 {
138 permissions = "0600"; 133 permissions = "0600";
139 user = "buildbot"; 134 user = "buildbot";
140 group = "buildbot"; 135 group = "buildbot";
141 text = config.myEnv.buildbot.ssh_key.private; 136 text = config.myEnv.buildbot.ssh_key.private;
142 dest = "buildbot/ssh_key"; 137 };
143 } 138 };
144 ];
145 139
146 services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { 140 services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
147 restart = true; 141 restart = true;
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 75ea747..101eb3f 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -121,9 +121,8 @@ in {
121 ''; 121 '';
122 }; 122 };
123 123
124 secrets.keys = [ 124 secrets.keys = {
125 { 125 "mysql/mysqldump" = {
126 dest = "mysql/mysqldump";
127 permissions = "0400"; 126 permissions = "0400";
128 user = "root"; 127 user = "root";
129 group = "root"; 128 group = "root";
@@ -132,9 +131,8 @@ in {
132 user = root 131 user = root
133 password = ${cfg.credentials.root} 132 password = ${cfg.credentials.root}
134 ''; 133 '';
135 } 134 };
136 { 135 "mysql/pam" = {
137 dest = "mysql/pam";
138 permissions = "0400"; 136 permissions = "0400";
139 user = "mysql"; 137 user = "mysql";
140 group = "mysql"; 138 group = "mysql";
@@ -146,9 +144,8 @@ in {
146 pam_filter ${filter} 144 pam_filter ${filter}
147 ssl start_tls 145 ssl start_tls
148 ''; 146 '';
149 } 147 };
150 { 148 "mysql/pam_replication" = {
151 dest = "mysql/pam_replication";
152 permissions = "0400"; 149 permissions = "0400";
153 user = "mysql"; 150 user = "mysql";
154 group = "mysql"; 151 group = "mysql";
@@ -160,8 +157,8 @@ in {
160 pam_login_attribute cn 157 pam_login_attribute cn
161 ssl start_tls 158 ssl start_tls
162 ''; 159 '';
163 } 160 };
164 ]; 161 };
165 162
166 security.pam.services = let 163 security.pam.services = let
167 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 164 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix
index e857c41..68e6f7f 100644
--- a/modules/private/databases/mariadb_replication.nix
+++ b/modules/private/databases/mariadb_replication.nix
@@ -81,9 +81,8 @@ in
81 }; 81 };
82 users.groups.mysql.gid = config.ids.gids.mysql; 82 users.groups.mysql.gid = config.ids.gids.mysql;
83 83
84 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 84 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
85 { 85 (lib.nameValuePair "mysql_replication/${name}/slave_init_commands" {
86 dest = "mysql_replication/${name}/slave_init_commands";
87 user = "mysql"; 86 user = "mysql";
88 group = "mysql"; 87 group = "mysql";
89 permissions = "0400"; 88 permissions = "0400";
@@ -91,9 +90,8 @@ in
91 CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos; 90 CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos;
92 START SLAVE; 91 START SLAVE;
93 ''; 92 '';
94 } 93 })
95 { 94 (lib.nameValuePair "mysql_replication/${name}/mysqldump_remote" {
96 dest = "mysql_replication/${name}/mysqldump_remote";
97 permissions = "0400"; 95 permissions = "0400";
98 user = "root"; 96 user = "root";
99 group = "root"; 97 group = "root";
@@ -102,9 +100,8 @@ in
102 user = ${hcfg.user} 100 user = ${hcfg.user}
103 password = ${hcfg.password} 101 password = ${hcfg.password}
104 ''; 102 '';
105 } 103 })
106 { 104 (lib.nameValuePair "mysql_replication/${name}/mysqldump" {
107 dest = "mysql_replication/${name}/mysqldump";
108 permissions = "0400"; 105 permissions = "0400";
109 user = "root"; 106 user = "root";
110 group = "root"; 107 group = "root";
@@ -113,9 +110,8 @@ in
113 user = ${hcfg.dumpUser} 110 user = ${hcfg.dumpUser}
114 password = ${hcfg.dumpPassword} 111 password = ${hcfg.dumpPassword}
115 ''; 112 '';
116 } 113 })
117 { 114 (lib.nameValuePair "mysql_replication/${name}/client" {
118 dest = "mysql_replication/${name}/client";
119 permissions = "0400"; 115 permissions = "0400";
120 user = "mysql"; 116 user = "mysql";
121 group = "mysql"; 117 group = "mysql";
@@ -124,8 +120,8 @@ in
124 user = ${hcfg.dumpUser} 120 user = ${hcfg.dumpUser}
125 password = ${hcfg.dumpPassword} 121 password = ${hcfg.dumpPassword}
126 ''; 122 '';
127 } 123 })
128 ]) cfg.hosts); 124 ]) cfg.hosts));
129 125
130 services.cron = { 126 services.cron = {
131 enable = true; 127 enable = true;
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index f4851b5..d35aca0 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -85,29 +85,26 @@ in
85 }; 85 };
86 86
87 config = lib.mkIf cfg.enable { 87 config = lib.mkIf cfg.enable {
88 secrets.keys = [ 88 secrets.keys = {
89 { 89 "ldap/password" = {
90 dest = "ldap/password";
91 permissions = "0400"; 90 permissions = "0400";
92 user = "openldap"; 91 user = "openldap";
93 group = "openldap"; 92 group = "openldap";
94 text = "rootpw ${cfg.rootPw}"; 93 text = "rootpw ${cfg.rootPw}";
95 } 94 };
96 { 95 "ldap/access" = {
97 dest = "ldap/access";
98 permissions = "0400"; 96 permissions = "0400";
99 user = "openldap"; 97 user = "openldap";
100 group = "openldap"; 98 group = "openldap";
101 text = builtins.readFile cfg.accessFile; 99 text = builtins.readFile cfg.accessFile;
102 } 100 };
103 { 101 "ldap" = {
104 dest = "ldap";
105 permissions = "0500"; 102 permissions = "0500";
106 user = "openldap"; 103 user = "openldap";
107 group = "openldap"; 104 group = "openldap";
108 isDir = true; 105 isDir = true;
109 } 106 };
110 ]; 107 };
111 users.users.openldap.extraGroups = [ "keys" ]; 108 users.users.openldap.extraGroups = [ "keys" ];
112 networking.firewall.allowedTCPPorts = [ 636 389 ]; 109 networking.firewall.allowedTCPPorts = [ 636 389 ];
113 110
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix
index 350eecf..b456323 100644
--- a/modules/private/databases/openldap_replication.nix
+++ b/modules/private/databases/openldap_replication.nix
@@ -87,9 +87,8 @@ in
87 }; 87 };
88 users.groups.openldap.gid = config.ids.gids.openldap; 88 users.groups.openldap.gid = config.ids.gids.openldap;
89 89
90 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 90 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
91 { 91 (lib.nameValuePair "openldap_replication/${name}/replication_config" {
92 dest = "openldap_replication/${name}/replication_config";
93 user = "openldap"; 92 user = "openldap";
94 group = "openldap"; 93 group = "openldap";
95 permissions = "0400"; 94 permissions = "0400";
@@ -105,15 +104,14 @@ in
105 binddn="${hcfg.dn}" 104 binddn="${hcfg.dn}"
106 credentials="${hcfg.password}" 105 credentials="${hcfg.password}"
107 ''; 106 '';
108 } 107 })
109 { 108 (lib.nameValuePair "openldap_replication/${name}/replication_password" {
110 dest = "openldap_replication/${name}/replication_password";
111 user = "openldap"; 109 user = "openldap";
112 group = "openldap"; 110 group = "openldap";
113 permissions = "0400"; 111 permissions = "0400";
114 text = hcfg.password; 112 text = hcfg.password;
115 } 113 })
116 ]) cfg.hosts); 114 ]) cfg.hosts));
117 115
118 services.cron = { 116 services.cron = {
119 enable = true; 117 enable = true;
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index e73bf69..a6c4cc9 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -178,9 +178,8 @@ in {
178 ''; 178 '';
179 }; 179 };
180 180
181 secrets.keys = [ 181 secrets.keys = {
182 { 182 "postgresql/pam" = {
183 dest = "postgresql/pam";
184 permissions = "0400"; 183 permissions = "0400";
185 group = "postgres"; 184 group = "postgres";
186 user = "postgres"; 185 user = "postgres";
@@ -192,9 +191,8 @@ in {
192 pam_filter ${filter} 191 pam_filter ${filter}
193 ssl start_tls 192 ssl start_tls
194 ''; 193 '';
195 } 194 };
196 { 195 "postgresql/pam_replication" = {
197 dest = "postgresql/pam_replication";
198 permissions = "0400"; 196 permissions = "0400";
199 group = "postgres"; 197 group = "postgres";
200 user = "postgres"; 198 user = "postgres";
@@ -206,8 +204,8 @@ in {
206 pam_login_attribute cn 204 pam_login_attribute cn
207 ssl start_tls 205 ssl start_tls
208 ''; 206 '';
209 } 207 };
210 ]; 208 };
211 209
212 security.pam.services = let 210 security.pam.services = let
213 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 211 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
diff --git a/modules/private/databases/postgresql_replication.nix b/modules/private/databases/postgresql_replication.nix
index b103b8c..135bbed 100644
--- a/modules/private/databases/postgresql_replication.nix
+++ b/modules/private/databases/postgresql_replication.nix
@@ -62,9 +62,8 @@ in
62 users.groups.postgres.gid = config.ids.gids.postgres; 62 users.groups.postgres.gid = config.ids.gids.postgres;
63 environment.systemPackages = [ cfg.mainPackage ]; 63 environment.systemPackages = [ cfg.mainPackage ];
64 64
65 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 65 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
66 { 66 (lib.nameValuePair "postgresql_replication/${name}/recovery.conf" {
67 dest = "postgresql_replication/${name}/recovery.conf";
68 user = "postgres"; 67 user = "postgres";
69 group = "postgres"; 68 group = "postgres";
70 permissions = "0400"; 69 permissions = "0400";
@@ -73,16 +72,14 @@ in
73 primary_conninfo = '${hcfg.connection}?sslmode=require' 72 primary_conninfo = '${hcfg.connection}?sslmode=require'
74 primary_slot_name = '${hcfg.slot}' 73 primary_slot_name = '${hcfg.slot}'
75 ''; 74 '';
76 } 75 })
77 { 76 (lib.nameValuePair "postgresql_replication/${name}/connection_string" {
78 dest = "postgresql_replication/${name}/connection_string";
79 user = "postgres"; 77 user = "postgres";
80 group = "postgres"; 78 group = "postgres";
81 permissions = "0400"; 79 permissions = "0400";
82 text = hcfg.connection; 80 text = hcfg.connection;
83 } 81 })
84 { 82 (lib.nameValuePair "postgresql_replication/${name}/postgresql.conf" {
85 dest = "postgresql_replication/${name}/postgresql.conf";
86 user = "postgres"; 83 user = "postgres";
87 group = "postgres"; 84 group = "postgres";
88 permissions = "0400"; 85 permissions = "0400";
@@ -94,8 +91,8 @@ in
94 data_directory = '${dataDir}' 91 data_directory = '${dataDir}'
95 wal_level = logical 92 wal_level = logical
96 ''; 93 '';
97 } 94 })
98 ]) cfg.hosts); 95 ]) cfg.hosts));
99 96
100 services.cron = { 97 services.cron = {
101 enable = true; 98 enable = true;
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index 5c5b8b0..685fa46 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -74,9 +74,8 @@ in {
74 }; 74 };
75 75
76 networking.firewall.allowedTCPPorts = [ 7617 16379 ]; 76 networking.firewall.allowedTCPPorts = [ 7617 16379 ];
77 secrets.keys = [ 77 secrets.keys = {
78 { 78 "redis/predixy.conf" = {
79 dest = "redis/predixy.conf";
80 user = "redis"; 79 user = "redis";
81 group = "redis"; 80 group = "redis";
82 permissions = "0400"; 81 permissions = "0400";
@@ -100,15 +99,14 @@ in {
100 } 99 }
101 } 100 }
102 ''; 101 '';
103 } 102 };
104 { 103 "redis/spiped_keyfile" = {
105 dest = "redis/spiped_keyfile";
106 user = "spiped"; 104 user = "spiped";
107 group = "spiped"; 105 group = "spiped";
108 permissions = "0400"; 106 permissions = "0400";
109 text = config.myEnv.databases.redis.spiped_key; 107 text = config.myEnv.databases.redis.spiped_key;
110 } 108 };
111 ]; 109 };
112 110
113 systemd.slices.redis = { 111 systemd.slices.redis = {
114 description = "Redis slice"; 112 description = "Redis slice";
diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix
index 3caa7e9..9e48939 100644
--- a/modules/private/databases/redis_replication.nix
+++ b/modules/private/databases/redis_replication.nix
@@ -68,9 +68,8 @@ in
68 }; 68 };
69 }; 69 };
70 70
71 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 71 secrets.keys = lib.mapAttrs' (name: hcfg:
72 { 72 lib.nameValuePair "redis_replication/${name}/config" {
73 dest = "redis_replication/${name}/config";
74 user = "redis"; 73 user = "redis";
75 group = "redis"; 74 group = "redis";
76 permissions = "0400"; 75 permissions = "0400";
@@ -97,15 +96,14 @@ in
97 maxclients 1024 96 maxclients 1024
98 ''; 97 '';
99 } 98 }
100 ]) cfg.hosts) ++ [ 99 ) cfg.hosts // {
101 { # For eldiron only 100 "redis/spiped_eldiron_keyfile" = { # For eldiron only
102 dest = "redis/spiped_eldiron_keyfile";
103 user = "spiped"; 101 user = "spiped";
104 group = "spiped"; 102 group = "spiped";
105 permissions = "0400"; 103 permissions = "0400";
106 text = config.myEnv.databases.redis.spiped_key; 104 text = config.myEnv.databases.redis.spiped_key;
107 } 105 };
108 ]; 106 };
109 107
110 services.cron = { 108 services.cron = {
111 enable = true; 109 enable = true;
diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index 32c52a9..1d7fd52 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -87,9 +87,8 @@
87 networking.firewall.allowedUDPPorts = [ 53 ]; 87 networking.firewall.allowedUDPPorts = [ 53 ];
88 networking.firewall.allowedTCPPorts = [ 53 ]; 88 networking.firewall.allowedTCPPorts = [ 53 ];
89 users.users.named.extraGroups = [ "keys" ]; 89 users.users.named.extraGroups = [ "keys" ];
90 secrets.keys = lib.mapAttrsToList (k: v: 90 secrets.keys = lib.mapAttrs' (k: v:
91 { 91 lib.nameValuePair "bind/${k}.key" {
92 dest = "bind/${k}.key";
93 permissions = "0400"; 92 permissions = "0400";
94 user = "named"; 93 user = "named";
95 text = '' 94 text = ''
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix
index d051d79..4d86a64 100644
--- a/modules/private/ejabberd/default.nix
+++ b/modules/private/ejabberd/default.nix
@@ -37,9 +37,8 @@ in
37 systemd.services.ejabberd.postStop = '' 37 systemd.services.ejabberd.postStop = ''
38 rm /var/log/ejabberd/erl_crash*.dump 38 rm /var/log/ejabberd/erl_crash*.dump
39 ''; 39 '';
40 secrets.keys = [ 40 secrets.keys = {
41 { 41 "ejabberd/psql.yml" = {
42 dest = "ejabberd/psql.yml";
43 permissions = "0400"; 42 permissions = "0400";
44 user = "ejabberd"; 43 user = "ejabberd";
45 group = "ejabberd"; 44 group = "ejabberd";
@@ -50,9 +49,8 @@ in
50 sql_username: "${config.myEnv.jabber.postgresql.user}" 49 sql_username: "${config.myEnv.jabber.postgresql.user}"
51 sql_password: "${config.myEnv.jabber.postgresql.password}" 50 sql_password: "${config.myEnv.jabber.postgresql.password}"
52 ''; 51 '';
53 } 52 };
54 { 53 "ejabberd/host.yml" = {
55 dest = "ejabberd/host.yml";
56 permissions = "0400"; 54 permissions = "0400";
57 user = "ejabberd"; 55 user = "ejabberd";
58 group = "ejabberd"; 56 group = "ejabberd";
@@ -71,8 +69,8 @@ in
71 immaeXmppUid: "%u" 69 immaeXmppUid: "%u"
72 ldap_filter: "${config.myEnv.jabber.ldap.filter}" 70 ldap_filter: "${config.myEnv.jabber.ldap.filter}"
73 ''; 71 '';
74 } 72 };
75 ]; 73 };
76 users.users.ejabberd.extraGroups = [ "keys" ]; 74 users.users.ejabberd.extraGroups = [ "keys" ];
77 services.ejabberd = { 75 services.ejabberd = {
78 package = pkgs.ejabberd.override { withPgsql = true; }; 76 package = pkgs.ejabberd.override { withPgsql = true; };
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 07db0f4..1428198 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -47,8 +47,7 @@ in
47 install -m 0755 -o ftp -g ftp -d /var/lib/ftp 47 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
48 ''; 48 '';
49 49
50 secrets.keys = [{ 50 secrets.keys."pure-ftpd-ldap" = {
51 dest = "pure-ftpd-ldap";
52 permissions = "0400"; 51 permissions = "0400";
53 user = "ftp"; 52 user = "ftp";
54 group = "ftp"; 53 group = "ftp";
@@ -71,7 +70,7 @@ in
71 # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid 70 # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
72 LDAPHomeDir immaeFtpDirectory 71 LDAPHomeDir immaeFtpDirectory
73 ''; 72 '';
74 }]; 73 };
75 74
76 services.filesWatcher.pure-ftpd = { 75 services.filesWatcher.pure-ftpd = {
77 restart = true; 76 restart = true;
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index 0fb1a99..20d2cd5 100644
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -21,13 +21,12 @@ in {
21 }; 21 };
22 networking.firewall.allowedTCPPorts = [ 9418 ]; 22 networking.firewall.allowedTCPPorts = [ 9418 ];
23 23
24 secrets.keys = [{ 24 secrets.keys."gitolite/ldap_password" = {
25 dest = "gitolite/ldap_password";
26 user = "gitolite"; 25 user = "gitolite";
27 group = "gitolite"; 26 group = "gitolite";
28 permissions = "0400"; 27 permissions = "0400";
29 text = config.myEnv.tools.gitolite.ldap.password; 28 text = config.myEnv.tools.gitolite.ldap.password;
30 }]; 29 };
31 30
32 services.gitDaemon = { 31 services.gitDaemon = {
33 enable = true; 32 enable = true;
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index 23e795f..0ef3467 100644
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -18,36 +18,33 @@ in
18 + /var/lib/dhparams 18 + /var/lib/dhparams
19 + /var/lib/dovecot 19 + /var/lib/dovecot
20 ''; 20 '';
21 secrets.keys = [ 21 secrets.keys."dovecot/ldap" = {
22 { 22 user = config.services.dovecot2.user;
23 dest = "dovecot/ldap"; 23 group = config.services.dovecot2.group;
24 user = config.services.dovecot2.user; 24 permissions = "0400";
25 group = config.services.dovecot2.group; 25 text = ''
26 permissions = "0400"; 26 hosts = ${config.myEnv.mail.dovecot.ldap.host}
27 text = '' 27 tls = yes
28 hosts = ${config.myEnv.mail.dovecot.ldap.host}
29 tls = yes
30 28
31 dn = ${config.myEnv.mail.dovecot.ldap.dn} 29 dn = ${config.myEnv.mail.dovecot.ldap.dn}
32 dnpass = ${config.myEnv.mail.dovecot.ldap.password} 30 dnpass = ${config.myEnv.mail.dovecot.ldap.password}
33 31
34 auth_bind = yes 32 auth_bind = yes
35 33
36 ldap_version = 3 34 ldap_version = 3
37 35
38 base = ${config.myEnv.mail.dovecot.ldap.base} 36 base = ${config.myEnv.mail.dovecot.ldap.base}
39 scope = subtree 37 scope = subtree
40 38
41 pass_filter = ${config.myEnv.mail.dovecot.ldap.filter} 39 pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
42 pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs} 40 pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
43 41
44 user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs} 42 user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
45 user_filter = ${config.myEnv.mail.dovecot.ldap.filter} 43 user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
46 iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs} 44 iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
47 iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter} 45 iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
48 ''; 46 '';
49 } 47 };
50 ];
51 48
52 users.users.vhost = { 49 users.users.vhost = {
53 group = "vhost"; 50 group = "vhost";
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 172e216..4b93a7a 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -17,30 +17,27 @@
17 ''; 17 '';
18 }; 18 };
19 config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { 19 config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
20 secrets.keys = [ 20 secrets.keys = {
21 { 21 "opendkim" = {
22 dest = "opendkim";
23 isDir = true; 22 isDir = true;
24 user = config.services.opendkim.user; 23 user = config.services.opendkim.user;
25 group = config.services.opendkim.group; 24 group = config.services.opendkim.group;
26 permissions = "0550"; 25 permissions = "0550";
27 } 26 };
28 { 27 "opendkim/eldiron.private" = {
29 dest = "opendkim/eldiron.private";
30 user = config.services.opendkim.user; 28 user = config.services.opendkim.user;
31 group = config.services.opendkim.group; 29 group = config.services.opendkim.group;
32 permissions = "0400"; 30 permissions = "0400";
33 text = config.myEnv.mail.dkim.eldiron.private; 31 text = config.myEnv.mail.dkim.eldiron.private;
34 } 32 };
35 { 33 "opendkim/eldiron.txt" = {
36 dest = "opendkim/eldiron.txt";
37 user = config.services.opendkim.user; 34 user = config.services.opendkim.user;
38 group = config.services.opendkim.group; 35 group = config.services.opendkim.group;
39 permissions = "0444"; 36 permissions = "0444";
40 text = '' 37 text = ''
41 eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; 38 eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
42 } 39 };
43 ]; 40 };
44 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; 41 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
45 services.opendkim = { 42 services.opendkim = {
46 enable = true; 43 enable = true;
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix
index a7be066..e05bba9 100644
--- a/modules/private/mail/opensmtpd.nix
+++ b/modules/private/mail/opensmtpd.nix
@@ -1,17 +1,14 @@
1{ lib, pkgs, config, name, ... }: 1{ lib, pkgs, config, name, ... }:
2{ 2{
3 config = lib.mkIf config.myServices.mailRelay.enable { 3 config = lib.mkIf config.myServices.mailRelay.enable {
4 secrets.keys = [ 4 secrets.keys."opensmtpd/creds" = {
5 { 5 user = "smtpd";
6 dest = "opensmtpd/creds"; 6 group = "smtpd";
7 user = "smtpd"; 7 permissions = "0400";
8 group = "smtpd"; 8 text = ''
9 permissions = "0400"; 9 eldiron ${name}:${config.hostEnv.ldap.password}
10 text = '' 10 '';
11 eldiron ${name}:${config.hostEnv.ldap.password} 11 };
12 '';
13 }
14 ];
15 users.users.smtpd.extraGroups = [ "keys" ]; 12 users.users.smtpd.extraGroups = [ "keys" ];
16 services.opensmtpd = { 13 services.opensmtpd = {
17 enable = true; 14 enable = true;
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index de5e59d..054b93e 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -4,9 +4,8 @@
4 services.duplyBackup.profiles.mail.excludeFile = '' 4 services.duplyBackup.profiles.mail.excludeFile = ''
5 + /var/lib/postfix 5 + /var/lib/postfix
6 ''; 6 '';
7 secrets.keys = [ 7 secrets.keys = {
8 { 8 "postfix/mysql_alias_maps" = {
9 dest = "postfix/mysql_alias_maps";
10 user = config.services.postfix.user; 9 user = config.services.postfix.user;
11 group = config.services.postfix.group; 10 group = config.services.postfix.group;
12 permissions = "0440"; 11 permissions = "0440";
@@ -32,9 +31,8 @@
32 FROM forwardings_blacklisted 31 FROM forwardings_blacklisted
33 WHERE source = '%s' 32 WHERE source = '%s'
34 ''; 33 '';
35 } 34 };
36 { 35 "postfix/ldap_mailboxes" = {
37 dest = "postfix/ldap_mailboxes";
38 user = config.services.postfix.user; 36 user = config.services.postfix.user;
39 group = config.services.postfix.group; 37 group = config.services.postfix.group;
40 permissions = "0440"; 38 permissions = "0440";
@@ -48,9 +46,8 @@
48 result_format = dummy 46 result_format = dummy
49 version = 3 47 version = 3
50 ''; 48 '';
51 } 49 };
52 { 50 "postfix/mysql_sender_login_maps" = {
53 dest = "postfix/mysql_sender_login_maps";
54 user = config.services.postfix.user; 51 user = config.services.postfix.user;
55 group = config.services.postfix.group; 52 group = config.services.postfix.group;
56 permissions = "0440"; 53 permissions = "0440";
@@ -72,9 +69,8 @@
72 AND active = 1 69 AND active = 1
73 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination 70 UNION SELECT CONCAT(SUBSTRING_INDEX('%u', '+', 1), '@%d') AS destination
74 ''; 71 '';
75 } 72 };
76 { 73 "postfix/mysql_sender_relays_maps" = {
77 dest = "postfix/mysql_sender_relays_maps";
78 user = config.services.postfix.user; 74 user = config.services.postfix.user;
79 group = config.services.postfix.group; 75 group = config.services.postfix.group;
80 permissions = "0440"; 76 permissions = "0440";
@@ -102,9 +98,8 @@
102 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) 98 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
103 AND active = 1 99 AND active = 1
104 ''; 100 '';
105 } 101 };
106 { 102 "postfix/mysql_sender_relays_hosts" = {
107 dest = "postfix/mysql_sender_relays_hosts";
108 user = config.services.postfix.user; 103 user = config.services.postfix.user;
109 group = config.services.postfix.group; 104 group = config.services.postfix.group;
110 permissions = "0440"; 105 permissions = "0440";
@@ -122,9 +117,8 @@
122 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) 117 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
123 AND active = 1 118 AND active = 1
124 ''; 119 '';
125 } 120 };
126 { 121 "postfix/mysql_sender_relays_creds" = {
127 dest = "postfix/mysql_sender_relays_creds";
128 user = config.services.postfix.user; 122 user = config.services.postfix.user;
129 group = config.services.postfix.group; 123 group = config.services.postfix.group;
130 permissions = "0440"; 124 permissions = "0440";
@@ -142,9 +136,8 @@
142 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s')) 136 ((regex = 1 AND '%s' REGEXP CONCAT('^',`from`,'$') ) OR (regex = 0 AND `from` = '%s'))
143 AND active = 1 137 AND active = 1
144 ''; 138 '';
145 } 139 };
146 { 140 "postfix/ldap_ejabberd_users_immae_fr" = {
147 dest = "postfix/ldap_ejabberd_users_immae_fr";
148 user = config.services.postfix.user; 141 user = config.services.postfix.user;
149 group = config.services.postfix.group; 142 group = config.services.postfix.group;
150 permissions = "0440"; 143 permissions = "0440";
@@ -159,14 +152,13 @@
159 result_format = ejabberd@localhost 152 result_format = ejabberd@localhost
160 version = 3 153 version = 3
161 ''; 154 '';
162 } 155 };
163 ] ++ (lib.mapAttrsToList (name: v: { 156 } // lib.mapAttrs' (name: v: lib.nameValuePair "postfix/scripts/${name}-env" {
164 dest = "postfix/scripts/${name}-env";
165 user = "postfixscripts"; 157 user = "postfixscripts";
166 group = "root"; 158 group = "root";
167 permissions = "0400"; 159 permissions = "0400";
168 text = builtins.toJSON v.env; 160 text = builtins.toJSON v.env;
169 }) config.myEnv.mail.scripts); 161 }) config.myEnv.mail.scripts;
170 162
171 networking.firewall.allowedTCPPorts = [ 25 465 587 ]; 163 networking.firewall.allowedTCPPorts = [ 25 465 587 ];
172 164
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix
index 651452c..668d365 100644
--- a/modules/private/mail/relay.nix
+++ b/modules/private/mail/relay.nix
@@ -13,9 +13,8 @@
13 mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx; 13 mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx;
14 in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs); 14 in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
15 }; 15 };
16 secrets.keys = [ 16 secrets.keys = {
17 { 17 "postfix/mysql_alias_maps" = {
18 dest = "postfix/mysql_alias_maps";
19 user = config.services.postfix.user; 18 user = config.services.postfix.user;
20 group = config.services.postfix.group; 19 group = config.services.postfix.group;
21 permissions = "0440"; 20 permissions = "0440";
@@ -41,9 +40,8 @@
41 FROM forwardings_blacklisted 40 FROM forwardings_blacklisted
42 WHERE source = '%s' 41 WHERE source = '%s'
43 ''; 42 '';
44 } 43 };
45 { 44 "postfix/ldap_mailboxes" = {
46 dest = "postfix/ldap_mailboxes";
47 user = config.services.postfix.user; 45 user = config.services.postfix.user;
48 group = config.services.postfix.group; 46 group = config.services.postfix.group;
49 permissions = "0440"; 47 permissions = "0440";
@@ -57,9 +55,8 @@
57 result_format = dummy 55 result_format = dummy
58 version = 3 56 version = 3
59 ''; 57 '';
60 } 58 };
61 { 59 "postfix/sympa_mailbox_maps" = {
62 dest = "postfix/sympa_mailbox_maps";
63 user = config.services.postfix.user; 60 user = config.services.postfix.user;
64 group = config.services.postfix.group; 61 group = config.services.postfix.group;
65 permissions = "0440"; 62 permissions = "0440";
@@ -82,9 +79,8 @@
82 CONCAT('abuse-feedback-report@', robot_list) 79 CONCAT('abuse-feedback-report@', robot_list)
83 ) 80 )
84 ''; 81 '';
85 } 82 };
86 { 83 "postfix/ldap_ejabberd_users_immae_fr" = {
87 dest = "postfix/ldap_ejabberd_users_immae_fr";
88 user = config.services.postfix.user; 84 user = config.services.postfix.user;
89 group = config.services.postfix.group; 85 group = config.services.postfix.group;
90 permissions = "0440"; 86 permissions = "0440";
@@ -99,8 +95,8 @@
99 result_format = ejabberd@localhost 95 result_format = ejabberd@localhost
100 version = 3 96 version = 3
101 ''; 97 '';
102 } 98 };
103 ]; 99 };
104 100
105 networking.firewall.allowedTCPPorts = [ 25 ]; 101 networking.firewall.allowedTCPPorts = [ 25 ];
106 102
diff --git a/modules/private/mail/sympa.nix b/modules/private/mail/sympa.nix
index 5270b69..920daa9 100644
--- a/modules/private/mail/sympa.nix
+++ b/modules/private/mail/sympa.nix
@@ -34,20 +34,19 @@ in
34 ]; 34 ];
35 }; 35 };
36 36
37 secrets.keys = [ 37 secrets.keys = {
38 { 38 "sympa/db_password" = {
39 dest = "sympa/db_password";
40 permissions = "0400"; 39 permissions = "0400";
41 group = "sympa"; 40 group = "sympa";
42 user = "sympa"; 41 user = "sympa";
43 text = sympaConfig.postgresql.password; 42 text = sympaConfig.postgresql.password;
44 } 43 };
45 ] 44 }
46 ++ lib.mapAttrsToList (n: v: { 45 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/data_sources/${n}.incl" {
47 dest = "sympa/data_sources/${n}.incl"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; 46 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
48 }) sympaConfig.data_sources 47 }) sympaConfig.data_sources
49 ++ lib.mapAttrsToList (n: v: { 48 // lib.mapAttrs' (n: v: lib.nameValuePair "sympa/scenari/${n}" {
50 dest = "sympa/scenari/${n}"; permissions = "0400"; group = "sympa"; user = "sympa"; text = v; 49 permissions = "0400"; group = "sympa"; user = "sympa"; text = v;
51 }) sympaConfig.scenari; 50 }) sympaConfig.scenari;
52 users.users.sympa.extraGroups = [ "keys" ]; 51 users.users.sympa.extraGroups = [ "keys" ];
53 systemd.slices.mail-sympa = { 52 systemd.slices.mail-sympa = {
diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix
index cab9e7c..bdb5c93 100644
--- a/modules/private/monitoring/default.nix
+++ b/modules/private/monitoring/default.nix
@@ -199,18 +199,15 @@ in
199 text = "MAILADDR ${config.myEnv.monitoring.email}"; 199 text = "MAILADDR ${config.myEnv.monitoring.email}";
200 }; 200 };
201 201
202 secrets.keys = [ 202 secrets.keys = {
203 { 203 "naemon/id_rsa" = {
204 dest = "naemon/id_rsa";
205 user = "naemon"; 204 user = "naemon";
206 group = "naemon"; 205 group = "naemon";
207 permissions = "0400"; 206 permissions = "0400";
208 text = config.myEnv.monitoring.ssh_secret_key; 207 text = config.myEnv.monitoring.ssh_secret_key;
209 } 208 };
210 ] ++ lib.optionals cfg.master ( 209 } // lib.optionalAttrs cfg.master (
211 lib.mapAttrsToList (k: v: 210 lib.mapAttrs' (k: v: lib.nameValuePair "${k}_access_key" {
212 {
213 dest = "${k}_access_key";
214 user = "naemon"; 211 user = "naemon";
215 group = "naemon"; 212 group = "naemon";
216 permissions = "0400"; 213 permissions = "0400";
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index 73f4749..ab0290c 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -12,17 +12,14 @@
12 }; 12 };
13 }; 13 };
14 config = lib.mkIf config.myServices.status.enable { 14 config = lib.mkIf config.myServices.status.enable {
15 secrets.keys = [ 15 secrets.keys."naemon-status/environment" = {
16 { 16 user = "naemon";
17 dest = "naemon-status/environment"; 17 group = "naemon";
18 user = "naemon"; 18 permissions = "0400";
19 group = "naemon"; 19 text = ''
20 permission = "0400"; 20 TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens}
21 text = '' 21 '';
22 TOKENS=${builtins.concatStringsSep " " config.myEnv.monitoring.nrdp_tokens} 22 };
23 '';
24 }
25 ];
26 services.nginx = { 23 services.nginx = {
27 enable = true; 24 enable = true;
28 recommendedOptimisation = true; 25 recommendedOptimisation = true;
diff --git a/modules/private/monitoring/status_engine.nix b/modules/private/monitoring/status_engine.nix
index 8192a9d..39a753a 100644
--- a/modules/private/monitoring/status_engine.nix
+++ b/modules/private/monitoring/status_engine.nix
@@ -19,8 +19,7 @@ in
19 }; 19 };
20 }; 20 };
21 21
22 secrets.keys = [{ 22 secrets.keys."status_engine" = {
23 dest = "status_engine";
24 permissions = "0400"; 23 permissions = "0400";
25 user = "naemon"; 24 user = "naemon";
26 group = "naemon"; 25 group = "naemon";
@@ -87,7 +86,7 @@ in
87 86
88 disable_http_proxy: 1 87 disable_http_proxy: 1
89 ''; 88 '';
90 }]; 89 };
91 90
92 services.redis = rec { 91 services.redis = rec {
93 enable = true; 92 enable = true;
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix
index f2e87bb..7fa8fe9 100644
--- a/modules/private/mpd.nix
+++ b/modules/private/mpd.nix
@@ -5,22 +5,20 @@
5 services.duplyBackup.profiles.mpd = { 5 services.duplyBackup.profiles.mpd = {
6 rootDir = "/var/lib/mpd"; 6 rootDir = "/var/lib/mpd";
7 }; 7 };
8 secrets.keys = [ 8 secrets.keys = {
9 { 9 "mpd" = {
10 dest = "mpd";
11 permissions = "0400"; 10 permissions = "0400";
12 text = config.myEnv.mpd.password; 11 text = config.myEnv.mpd.password;
13 } 12 };
14 { 13 "mpd-config" = {
15 dest = "mpd-config";
16 permissions = "0400"; 14 permissions = "0400";
17 user = "mpd"; 15 user = "mpd";
18 group = "mpd"; 16 group = "mpd";
19 text = '' 17 text = ''
20 password "${config.myEnv.mpd.password}@read,add,control,admin" 18 password "${config.myEnv.mpd.password}@read,add,control,admin"
21 ''; 19 '';
22 } 20 };
23 ]; 21 };
24 networking.firewall.allowedTCPPorts = [ 6600 ]; 22 networking.firewall.allowedTCPPorts = [ 6600 ];
25 users.users.mpd.extraGroups = [ "wwwrun" "keys" ]; 23 users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
26 systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; 24 systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
index ca9b6fc..ee5dda5 100644
--- a/modules/private/ssh/default.nix
+++ b/modules/private/ssh/default.nix
@@ -51,13 +51,12 @@ in
51 AuthorizedKeysCommandUser nobody 51 AuthorizedKeysCommandUser nobody
52 ''; 52 '';
53 53
54 secrets.keys = [{ 54 secrets.keys."ssh-ldap" = {
55 dest = "ssh-ldap";
56 user = "nobody"; 55 user = "nobody";
57 group = "nogroup"; 56 group = "nogroup";
58 permissions = "0400"; 57 permissions = "0400";
59 text = config.myEnv.sshd.ldap.password; 58 text = config.myEnv.sshd.ldap.password;
60 }]; 59 };
61 system.activationScripts.sshd = { 60 system.activationScripts.sshd = {
62 deps = [ "secrets" ]; 61 deps = [ "secrets" ];
63 text = '' 62 text = ''
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index 181f455..c01a666 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -7,22 +7,20 @@
7 }; 7 };
8 # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age 8 # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age
9 secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; 9 secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ];
10 secrets.keys = [ 10 secrets.keys = {
11 { 11 "rsync_backup/identity" = {
12 dest = "rsync_backup/identity";
13 user = "backup"; 12 user = "backup";
14 group = "backup"; 13 group = "backup";
15 permissions = "0400"; 14 permissions = "0400";
16 text = config.myEnv.rsync_backup.ssh_key.private; 15 text = config.myEnv.rsync_backup.ssh_key.private;
17 } 16 };
18 { 17 "rsync_backup/identity.pub" = {
19 dest = "rsync_backup/identity.pub";
20 user = "backup"; 18 user = "backup";
21 group = "backup"; 19 group = "backup";
22 permissions = "0444"; 20 permissions = "0444";
23 text = config.myEnv.rsync_backup.ssh_key.public; 21 text = config.myEnv.rsync_backup.ssh_key.public;
24 } 22 };
25 ]; 23 };
26 boot.kernelPackages = pkgs.linuxPackages_latest; 24 boot.kernelPackages = pkgs.linuxPackages_latest;
27 myEnv = import ../../../nixops/secrets/environment.nix; 25 myEnv = import ../../../nixops/secrets/environment.nix;
28 26
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 0830f18..2c339a5 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -126,9 +126,8 @@
126 services.netdata.config.web.mode = "none"; 126 services.netdata.config.web.mode = "none";
127 users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; 127 users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
128 environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; 128 environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
129 secrets.keys = [ 129 secrets.keys = {
130 { 130 "netdata-stream.conf" = {
131 dest = "netdata-stream.conf";
132 user = config.services.netdata.user; 131 user = config.services.netdata.user;
133 group = config.services.netdata.group; 132 group = config.services.netdata.group;
134 permissions = "0400"; 133 permissions = "0400";
@@ -138,15 +137,14 @@
138 destination = ${config.myEnv.monitoring.netdata_aggregator} 137 destination = ${config.myEnv.monitoring.netdata_aggregator}
139 api key = ${config.myEnv.monitoring.netdata_keys.eldiron} 138 api key = ${config.myEnv.monitoring.netdata_keys.eldiron}
140 ''; 139 '';
141 } 140 };
142 { 141 "zrepl_backup/identity" = {
143 dest = "zrepl_backup/identity";
144 user = "root"; 142 user = "root";
145 group = "root"; 143 group = "root";
146 permissions = "0400"; 144 permissions = "0400";
147 text = config.myEnv.zrepl_backup.ssh_key.private; 145 text = config.myEnv.zrepl_backup.ssh_key.private;
148 } 146 };
149 ]; 147 };
150 programs.ssh.knownHosts.dilion = { 148 programs.ssh.knownHosts.dilion = {
151 hostNames = ["dilion.immae.eu"]; 149 hostNames = ["dilion.immae.eu"];
152 publicKey = let 150 publicKey = let
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix
index 91d30fd..dea5f45 100644
--- a/modules/private/system/monitoring-1.nix
+++ b/modules/private/system/monitoring-1.nix
@@ -45,9 +45,8 @@
45 networking.firewall.allowedTCPPorts = [ 19999 ]; 45 networking.firewall.allowedTCPPorts = [ 19999 ];
46 environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; 46 environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
47 47
48 secrets.keys = [ 48 secrets.keys = {
49 { 49 "netdata-stream.conf" = {
50 dest = "netdata-stream.conf";
51 user = config.services.netdata.user; 50 user = config.services.netdata.user;
52 group = config.services.netdata.group; 51 group = config.services.netdata.group;
53 permissions = "0400"; 52 permissions = "0400";
@@ -58,8 +57,8 @@
58 default memory = ram 57 default memory = ram
59 health enabled by default = auto 58 health enabled by default = auto
60 '') config.myEnv.monitoring.netdata_keys); 59 '') config.myEnv.monitoring.netdata_keys);
61 } 60 };
62 ]; 61 };
63 users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; 62 users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
64 # This value determines the NixOS release with which your system is 63 # This value determines the NixOS release with which your system is
65 # to be compatible, in order to avoid breaking some software such as 64 # to be compatible, in order to avoid breaking some software such as
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 491e215..82db70f 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -254,14 +254,12 @@ in
254 ''; 254 '';
255 }; 255 };
256 256
257 secrets.keys = [ 257 secrets.keys = {
258 { 258 "ldap/sync_password" = {
259 dest = "ldap/sync_password";
260 permissions = "0400"; 259 permissions = "0400";
261 text = serverSpecificConfig.ldap_sync_password; 260 text = serverSpecificConfig.ldap_sync_password;
262 } 261 };
263 { 262 "ldap/ldaptree.ldif" = {
264 dest = "ldap/ldaptree.ldif";
265 permissions = "0400"; 263 permissions = "0400";
266 text = serverSpecificConfig.ldap_service_users 264 text = serverSpecificConfig.ldap_service_users
267 + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' 265 + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
@@ -272,8 +270,8 @@ in
272 sn: ${n} 270 sn: ${n}
273 uid: ${n} 271 uid: ${n}
274 '') normalUsers)); 272 '') normalUsers));
275 } 273 };
276 ]; 274 };
277 275
278 myServices.monitoring.enable = true; 276 myServices.monitoring.enable = true;
279 myServices.certificates.enable = true; 277 myServices.certificates.enable = true;
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
index 68ce274..f7b27e0 100644
--- a/modules/private/system/quatresaisons/databases.nix
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -9,16 +9,14 @@
9 services.postgresql.ensureUsers = [ 9 services.postgresql.ensureUsers = [
10 { name = "naemon"; } 10 { name = "naemon"; }
11 ]; 11 ];
12 secrets.keys = [ 12 secrets.keys = {
13 { 13 "ldap/password" = {
14 dest = "ldap/password";
15 permissions = "0400"; 14 permissions = "0400";
16 user = "openldap"; 15 user = "openldap";
17 group = "openldap"; 16 group = "openldap";
18 text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; 17 text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
19 } 18 };
20 { 19 "webapps/tools-ldap" = {
21 dest = "webapps/tools-ldap";
22 user = "wwwrun"; 20 user = "wwwrun";
23 group = "wwwrun"; 21 group = "wwwrun";
24 permissions = "0400"; 22 permissions = "0400";
@@ -42,8 +40,8 @@
42 $servers->setValue('login','attr','uid'); 40 $servers->setValue('login','attr','uid');
43 $servers->setValue('login','fallback_dn',true); 41 $servers->setValue('login','fallback_dn',true);
44 ''; 42 '';
45 } 43 };
46 ]; 44 };
47 45
48 users.users.openldap.extraGroups = [ "keys" ]; 46 users.users.openldap.extraGroups = [ "keys" ];
49 services.openldap = { 47 services.openldap = {
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index b3f1b7b..ac2aa21 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -95,9 +95,8 @@ in {
95 ''; 95 '';
96 }; 96 };
97 97
98 secrets.keys = [ 98 secrets.keys = {
99 { 99 "webapps/tools-taskwarrior-web" = {
100 dest = "webapps/tools-taskwarrior-web";
101 user = "wwwrun"; 100 user = "wwwrun";
102 group = "wwwrun"; 101 group = "wwwrun";
103 permissions = "0400"; 102 permissions = "0400";
@@ -110,9 +109,8 @@ in {
110 SetEnv TASKD_LDAP_BASE "${env.ldap.base}" 109 SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
111 SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}" 110 SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}"
112 ''; 111 '';
113 } 112 };
114 ] ++ (lib.mapAttrsToList (name: userConfig: { 113 } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" {
115 dest = "webapps/tools-taskwarrior/${name}-taskrc";
116 inherit user group; 114 inherit user group;
117 permissions = "0400"; 115 permissions = "0400";
118 text = let 116 text = let
diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix
index a9051af..d4b197d 100644
--- a/modules/private/vpn/default.nix
+++ b/modules/private/vpn/default.nix
@@ -8,22 +8,20 @@ in
8 }; 8 };
9 9
10 config = lib.mkIf cfg.enable { 10 config = lib.mkIf cfg.enable {
11 secrets.keys = [ 11 secrets.keys = {
12 { 12 "tinc/key.priv" = {
13 dest = "tinc/key.priv";
14 user = "root"; 13 user = "root";
15 group = "root"; 14 group = "root";
16 permissions = "0400"; 15 permissions = "0400";
17 text = config.myEnv.vpn.eldiron.privateKey; 16 text = config.myEnv.vpn.eldiron.privateKey;
18 } 17 };
19 { 18 "tinc/key.pub" = {
20 dest = "tinc/key.pub";
21 user = "root"; 19 user = "root";
22 group = "root"; 20 group = "root";
23 permissions = "0400"; 21 permissions = "0400";
24 text = config.myEnv.vpn.eldiron.publicKey; 22 text = config.myEnv.vpn.eldiron.publicKey;
25 } 23 };
26 ]; 24 };
27 networking.firewall.allowedTCPPorts = [ 655 1194 ]; 25 networking.firewall.allowedTCPPorts = [ 655 1194 ];
28 system.activationScripts.tinc = let 26 system.activationScripts.tinc = let
29 configFiles = pkgs.runCommand "tinc-files" { 27 configFiles = pkgs.runCommand "tinc-files" {
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
index ffae6ec..c4b79f8 100644
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -15,29 +15,26 @@ in {
15 15
16 config = lib.mkIf cfg.enable { 16 config = lib.mkIf cfg.enable {
17 services.duplyBackup.profiles.chloe_integration.rootDir = app.varDir; 17 services.duplyBackup.profiles.chloe_integration.rootDir = app.varDir;
18 secrets.keys = [ 18 secrets.keys."websites/chloe/integration" = {
19 { 19 user = apacheUser;
20 dest = "websites/chloe/integration"; 20 group = apacheGroup;
21 user = apacheUser; 21 permissions = "0400";
22 group = apacheGroup; 22 text = ''
23 permissions = "0400"; 23 SetEnv SPIP_CONFIG_DIR "${./config}"
24 text = '' 24 SetEnv SPIP_VAR_DIR "${app.varDir}"
25 SetEnv SPIP_CONFIG_DIR "${./config}" 25 SetEnv SPIP_SITE "chloe-${app.environment}"
26 SetEnv SPIP_VAR_DIR "${app.varDir}" 26 SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu"
27 SetEnv SPIP_SITE "chloe-${app.environment}" 27 SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu"
28 SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" 28 SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
29 SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" 29 SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
30 SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" 30 SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}"
31 SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" 31 SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}"
32 SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" 32 SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}"
33 SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" 33 SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}"
34 SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" 34 SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}"
35 SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" 35 SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
36 SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" 36 '';
37 SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" 37 };
38 '';
39 }
40 ];
41 systemd.services.phpfpm-chloe_integration.after = lib.mkAfter [ "mysql.service" ]; 38 systemd.services.phpfpm-chloe_integration.after = lib.mkAfter [ "mysql.service" ];
42 systemd.services.phpfpm-chloe_integration.wants = [ "mysql.service" ]; 39 systemd.services.phpfpm-chloe_integration.wants = [ "mysql.service" ];
43 services.phpfpm.pools.chloe_integration = { 40 services.phpfpm.pools.chloe_integration = {
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index 7f8f1de..92ae05b 100644
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -16,29 +16,26 @@ in {
16 config = lib.mkIf cfg.enable { 16 config = lib.mkIf cfg.enable {
17 services.duplyBackup.profiles.chloe_production.rootDir = app.varDir; 17 services.duplyBackup.profiles.chloe_production.rootDir = app.varDir;
18 services.duplyBackup.profiles.chloe_production.remotes = ["eriomem" "ovh"]; 18 services.duplyBackup.profiles.chloe_production.remotes = ["eriomem" "ovh"];
19 secrets.keys = [ 19 secrets.keys."websites/chloe/production" = {
20 { 20 user = apacheUser;
21 dest = "websites/chloe/production"; 21 group = apacheGroup;
22 user = apacheUser; 22 permissions = "0400";
23 group = apacheGroup; 23 text = ''
24 permissions = "0400"; 24 SetEnv SPIP_CONFIG_DIR "${./config}"
25 text = '' 25 SetEnv SPIP_VAR_DIR "${app.varDir}"
26 SetEnv SPIP_CONFIG_DIR "${./config}" 26 SetEnv SPIP_SITE "chloe-${app.environment}"
27 SetEnv SPIP_VAR_DIR "${app.varDir}" 27 SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu"
28 SetEnv SPIP_SITE "chloe-${app.environment}" 28 SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu"
29 SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" 29 SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
30 SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" 30 SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
31 SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" 31 SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}"
32 SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" 32 SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}"
33 SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" 33 SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}"
34 SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" 34 SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}"
35 SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" 35 SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}"
36 SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" 36 SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
37 SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" 37 '';
38 SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" 38 };
39 '';
40 }
41 ];
42 services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; 39 services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
43 40
44 systemd.services.phpfpm-chloe_production.after = lib.mkAfter [ "mysql.service" ]; 41 systemd.services.phpfpm-chloe_production.after = lib.mkAfter [ "mysql.service" ];
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
index f5b1a16..1b3587a 100644
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -47,31 +47,28 @@ in {
47 phpPackage = pkgs.php72; 47 phpPackage = pkgs.php72;
48 }; 48 };
49 49
50 secrets.keys = [ 50 secrets.keys."websites/connexionswing/integration" = {
51 { 51 user = config.services.httpd.Inte.user;
52 dest = "websites/connexionswing/integration"; 52 group = config.services.httpd.Inte.group;
53 user = config.services.httpd.Inte.user; 53 permissions = "0400";
54 group = config.services.httpd.Inte.group; 54 text = ''
55 permissions = "0400"; 55 # This file is auto-generated during the composer install
56 text = '' 56 parameters:
57 # This file is auto-generated during the composer install 57 database_host: ${secrets.mysql.host}
58 parameters: 58 database_port: ${secrets.mysql.port}
59 database_host: ${secrets.mysql.host} 59 database_name: ${secrets.mysql.database}
60 database_port: ${secrets.mysql.port} 60 database_user: ${secrets.mysql.user}
61 database_name: ${secrets.mysql.database} 61 database_password: ${secrets.mysql.password}
62 database_user: ${secrets.mysql.user} 62 database_server_version: ${pkgs.mariadb.mysqlVersion}
63 database_password: ${secrets.mysql.password} 63 mailer_transport: sendmail
64 database_server_version: ${pkgs.mariadb.mysqlVersion} 64 mailer_host: null
65 mailer_transport: sendmail 65 mailer_user: null
66 mailer_host: null 66 mailer_password: null
67 mailer_user: null 67 subscription_email: ${secrets.email}
68 mailer_password: null 68 allow_robots: true
69 subscription_email: ${secrets.email} 69 secret: ${secrets.secret}
70 allow_robots: true 70 '';
71 secret: ${secrets.secret} 71 };
72 '';
73 }
74 ];
75 72
76 services.websites.env.integration.vhostConfs.connexionswing_integration = { 73 services.websites.env.integration.vhostConfs.connexionswing_integration = {
77 certName = "integration"; 74 certName = "integration";
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index f6a059d..981e95e 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -48,35 +48,32 @@ in {
48 phpPackage = pkgs.php72; 48 phpPackage = pkgs.php72;
49 }; 49 };
50 50
51 secrets.keys = [ 51 secrets.keys."websites/connexionswing/production" = {
52 { 52 user = config.services.httpd.Prod.user;
53 dest = "websites/connexionswing/production"; 53 group = config.services.httpd.Prod.group;
54 user = config.services.httpd.Prod.user; 54 permissions = "0400";
55 group = config.services.httpd.Prod.group; 55 text = ''
56 permissions = "0400"; 56 # This file is auto-generated during the composer install
57 text = '' 57 parameters:
58 # This file is auto-generated during the composer install 58 database_host: ${secrets.mysql.host}
59 parameters: 59 database_port: ${secrets.mysql.port}
60 database_host: ${secrets.mysql.host} 60 database_name: ${secrets.mysql.database}
61 database_port: ${secrets.mysql.port} 61 database_user: ${secrets.mysql.user}
62 database_name: ${secrets.mysql.database} 62 database_password: ${secrets.mysql.password}
63 database_user: ${secrets.mysql.user} 63 database_server_version: ${pkgs.mariadb.mysqlVersion}
64 database_password: ${secrets.mysql.password} 64 mailer_transport: sendmail
65 database_server_version: ${pkgs.mariadb.mysqlVersion} 65 mailer_host: null
66 mailer_transport: sendmail 66 mailer_user: null
67 mailer_host: null 67 mailer_password: null
68 mailer_user: null 68 subscription_email: ${secrets.email}
69 mailer_password: null 69 allow_robots: true
70 subscription_email: ${secrets.email} 70 secret: ${secrets.secret}
71 allow_robots: true 71 services:
72 secret: ${secrets.secret} 72 swiftmailer.mailer.default.transport:
73 services: 73 class: Swift_SendmailTransport
74 swiftmailer.mailer.default.transport: 74 arguments: ['/run/wrappers/bin/sendmail -bs']
75 class: Swift_SendmailTransport 75 '';
76 arguments: ['/run/wrappers/bin/sendmail -bs'] 76 };
77 '';
78 }
79 ];
80 77
81 services.websites.env.production.vhostConfs.connexionswing_production = { 78 services.websites.env.production.vhostConfs.connexionswing_production = {
82 certName = "connexionswing"; 79 certName = "connexionswing";
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index 8fb6a4d..e819324 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -109,8 +109,7 @@ in
109 users.users.wwwrun.extraGroups = [ "keys" ]; 109 users.users.wwwrun.extraGroups = [ "keys" ];
110 networking.firewall.allowedTCPPorts = [ 80 443 ]; 110 networking.firewall.allowedTCPPorts = [ 80 443 ];
111 111
112 secrets.keys = [{ 112 secrets.keys."apache-ldap" = {
113 dest = "apache-ldap";
114 user = "wwwrun"; 113 user = "wwwrun";
115 group = "wwwrun"; 114 group = "wwwrun";
116 permissions = "0400"; 115 permissions = "0400";
@@ -126,7 +125,7 @@ in
126 </IfModule> 125 </IfModule>
127 </Macro> 126 </Macro>
128 ''; 127 '';
129 }]; 128 };
130 129
131 system.activationScripts = { 130 system.activationScripts = {
132 httpd = '' 131 httpd = ''
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
index 14358d8..87e622a 100644
--- a/modules/private/websites/florian/app.nix
+++ b/modules/private/websites/florian/app.nix
@@ -46,18 +46,16 @@ in {
46 phpPackage = pkgs.php72; 46 phpPackage = pkgs.php72;
47 }; 47 };
48 48
49 secrets.keys = [ 49 secrets.keys = {
50 { 50 "websites/florian/app_passwords" = {
51 dest = "websites/florian/app_passwords";
52 user = config.services.httpd.Inte.user; 51 user = config.services.httpd.Inte.user;
53 group = config.services.httpd.Inte.group; 52 group = config.services.httpd.Inte.group;
54 permissions = "0400"; 53 permissions = "0400";
55 text = '' 54 text = ''
56 invite:${secrets.invite_passwords} 55 invite:${secrets.invite_passwords}
57 ''; 56 '';
58 } 57 };
59 { 58 "websites/florian/app" = {
60 dest = "websites/florian/app";
61 user = config.services.httpd.Inte.user; 59 user = config.services.httpd.Inte.user;
62 group = config.services.httpd.Inte.group; 60 group = config.services.httpd.Inte.group;
63 permissions = "0400"; 61 permissions = "0400";
@@ -75,8 +73,8 @@ in {
75 mailer_password: null 73 mailer_password: null
76 secret: ${secrets.secret} 74 secret: ${secrets.secret}
77 ''; 75 '';
78 } 76 };
79 ]; 77 };
80 78
81 services.websites.env.integration.modules = adminer.apache.modules; 79 services.websites.env.integration.modules = adminer.apache.modules;
82 services.websites.env.integration.vhostConfs.florian_app = { 80 services.websites.env.integration.vhostConfs.florian_app = {
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix
index 8518283..61ed9cf 100644
--- a/modules/private/websites/immae/temp.nix
+++ b/modules/private/websites/immae/temp.nix
@@ -28,24 +28,21 @@ in {
28 '' ]; 28 '' ];
29 }; 29 };
30 30
31 secrets.keys = [ 31 secrets.keys."webapps/surfer" = {
32 { 32 permissions = "0400";
33 dest = "webapps/surfer"; 33 user = "wwwrun";
34 permissions = "0400"; 34 group = "wwwrun";
35 user = "wwwrun"; 35 text = ''
36 group = "wwwrun"; 36 CLOUDRON_LDAP_URL=ldaps://${env.ldap.host}
37 text = '' 37 CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
38 CLOUDRON_LDAP_URL=ldaps://${env.ldap.host} 38 TOKENSTORE_FILE=/var/lib/surfer/tokens.json
39 CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base} 39 CLOUDRON_LDAP_BIND_DN=${env.ldap.dn}
40 TOKENSTORE_FILE=/var/lib/surfer/tokens.json 40 CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password}
41 CLOUDRON_LDAP_BIND_DN=${env.ldap.dn} 41 CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
42 CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password} 42 CLOUDRON_LDAP_FILTER="${env.ldap.filter}"
43 CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base} 43 LISTEN=/run/surfer/listen.sock
44 CLOUDRON_LDAP_FILTER="${env.ldap.filter}" 44 '';
45 LISTEN=/run/surfer/listen.sock 45 };
46 '';
47 }
48 ];
49 46
50 systemd.services.surfer = { 47 systemd.services.surfer = {
51 description = "Surfer"; 48 description = "Surfer";
diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix
index 6f8f985..899ee66 100644
--- a/modules/private/websites/isabelle/aten_integration.nix
+++ b/modules/private/websites/isabelle/aten_integration.nix
@@ -41,8 +41,7 @@ in {
41 phpPackage = pkgs.php72; 41 phpPackage = pkgs.php72;
42 }; 42 };
43 43
44 secrets.keys = [{ 44 secrets.keys."websites/isabelle/aten_integration" = {
45 dest = "websites/isabelle/aten_integration";
46 user = config.services.httpd.Inte.user; 45 user = config.services.httpd.Inte.user;
47 group = config.services.httpd.Inte.group; 46 group = config.services.httpd.Inte.group;
48 permissions = "0400"; 47 permissions = "0400";
@@ -56,7 +55,7 @@ in {
56 SetEnv APP_SECRET "${secrets.secret}" 55 SetEnv APP_SECRET "${secrets.secret}"
57 SetEnv DATABASE_URL "${psql_url}" 56 SetEnv DATABASE_URL "${psql_url}"
58 ''; 57 '';
59 }]; 58 };
60 services.websites.env.integration.vhostConfs.isabelle_aten_integration = { 59 services.websites.env.integration.vhostConfs.isabelle_aten_integration = {
61 certName = "integration"; 60 certName = "integration";
62 addToCerts = true; 61 addToCerts = true;
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix
index 3671712..b8d12b9 100644
--- a/modules/private/websites/isabelle/aten_production.nix
+++ b/modules/private/websites/isabelle/aten_production.nix
@@ -42,8 +42,7 @@ in {
42 phpPackage = pkgs.php72; 42 phpPackage = pkgs.php72;
43 }; 43 };
44 44
45 secrets.keys = [{ 45 secrets.keys."websites/isabelle/aten_production" = {
46 dest = "websites/isabelle/aten_production";
47 user = config.services.httpd.Prod.user; 46 user = config.services.httpd.Prod.user;
48 group = config.services.httpd.Prod.group; 47 group = config.services.httpd.Prod.group;
49 permissions = "0400"; 48 permissions = "0400";
@@ -57,7 +56,7 @@ in {
57 SetEnv APP_SECRET "${secrets.secret}" 56 SetEnv APP_SECRET "${secrets.secret}"
58 SetEnv DATABASE_URL "${psql_url}" 57 SetEnv DATABASE_URL "${psql_url}"
59 ''; 58 '';
60 }]; 59 };
61 services.websites.env.production.vhostConfs.isabelle_aten_production = { 60 services.websites.env.production.vhostConfs.isabelle_aten_production = {
62 certName = "isabelle"; 61 certName = "isabelle";
63 certMainHost = "aten.pro"; 62 certMainHost = "aten.pro";
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix
index 14296bf..decda36 100644
--- a/modules/private/websites/isabelle/iridologie.nix
+++ b/modules/private/websites/isabelle/iridologie.nix
@@ -18,29 +18,26 @@ in {
18 config = lib.mkIf cfg.enable { 18 config = lib.mkIf cfg.enable {
19 services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir; 19 services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir;
20 services.duplyBackup.profiles.isabelle_iridologie.remotes = ["eriomem" "ovh"]; 20 services.duplyBackup.profiles.isabelle_iridologie.remotes = ["eriomem" "ovh"];
21 secrets.keys = [ 21 secrets.keys."websites/isabelle/iridologie" = {
22 { 22 user = apacheUser;
23 dest = "websites/isabelle/iridologie"; 23 group = apacheGroup;
24 user = apacheUser; 24 permissions = "0400";
25 group = apacheGroup; 25 text = ''
26 permissions = "0400"; 26 SetEnv SPIP_CONFIG_DIR "${./config}"
27 text = '' 27 SetEnv SPIP_VAR_DIR "${app.varDir}"
28 SetEnv SPIP_CONFIG_DIR "${./config}" 28 SetEnv SPIP_SITE "iridologie-${app.environment}"
29 SetEnv SPIP_VAR_DIR "${app.varDir}" 29 SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu"
30 SetEnv SPIP_SITE "iridologie-${app.environment}" 30 SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu"
31 SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" 31 SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}"
32 SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" 32 SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}"
33 SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}" 33 SetEnv SPIP_LDAP_SEARCH "${icfg.ldap.filter}"
34 SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}" 34 SetEnv SPIP_MYSQL_HOST "${icfg.mysql.host}"
35 SetEnv SPIP_LDAP_SEARCH "${icfg.ldap.filter}" 35 SetEnv SPIP_MYSQL_PORT "${icfg.mysql.port}"
36 SetEnv SPIP_MYSQL_HOST "${icfg.mysql.host}" 36 SetEnv SPIP_MYSQL_DB "${icfg.mysql.database}"
37 SetEnv SPIP_MYSQL_PORT "${icfg.mysql.port}" 37 SetEnv SPIP_MYSQL_USER "${icfg.mysql.user}"
38 SetEnv SPIP_MYSQL_DB "${icfg.mysql.database}" 38 SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}"
39 SetEnv SPIP_MYSQL_USER "${icfg.mysql.user}" 39 '';
40 SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}" 40 };
41 '';
42 }
43 ];
44 services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ]; 41 services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ];
45 42
46 systemd.services.phpfpm-isabelle_iridologie.after = lib.mkAfter [ "mysql.service" ]; 43 systemd.services.phpfpm-isabelle_iridologie.after = lib.mkAfter [ "mysql.service" ];
diff --git a/modules/private/websites/jerome/naturaloutil.nix b/modules/private/websites/jerome/naturaloutil.nix
index 95d7e78..0974ce3 100644
--- a/modules/private/websites/jerome/naturaloutil.nix
+++ b/modules/private/websites/jerome/naturaloutil.nix
@@ -15,8 +15,7 @@ in {
15 15
16 security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; 16 security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
17 17
18 secrets.keys = [{ 18 secrets.keys."websites/jerome/naturaloutil" = {
19 dest = "websites/jerome/naturaloutil";
20 user = apacheUser; 19 user = apacheUser;
21 group = apacheGroup; 20 group = apacheGroup;
22 permissions = "0400"; 21 permissions = "0400";
@@ -35,7 +34,7 @@ in {
35 $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); 34 $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
36 ?> 35 ?>
37 ''; 36 '';
38 }]; 37 };
39 system.activationScripts.jerome_naturaloutil = { 38 system.activationScripts.jerome_naturaloutil = {
40 deps = [ "httpd" ]; 39 deps = [ "httpd" ];
41 text = '' 40 text = ''
diff --git a/modules/private/websites/ludivine/integration.nix b/modules/private/websites/ludivine/integration.nix
index 4357b93..cfef385 100644
--- a/modules/private/websites/ludivine/integration.nix
+++ b/modules/private/websites/ludivine/integration.nix
@@ -50,44 +50,41 @@ in {
50 phpPackage = pkgs.php72; 50 phpPackage = pkgs.php72;
51 }; 51 };
52 52
53 secrets.keys = [ 53 secrets.keys."websites/ludivine/integration" = {
54 { 54 user = config.services.httpd.Inte.user;
55 dest = "websites/ludivine/integration"; 55 group = config.services.httpd.Inte.group;
56 user = config.services.httpd.Inte.user; 56 permissions = "0400";
57 group = config.services.httpd.Inte.group; 57 text = ''
58 permissions = "0400"; 58 # This file is auto-generated during the composer install
59 text = '' 59 parameters:
60 # This file is auto-generated during the composer install 60 database_host: ${secrets.mysql.host}
61 parameters: 61 database_port: ${secrets.mysql.port}
62 database_host: ${secrets.mysql.host} 62 database_name: ${secrets.mysql.database}
63 database_port: ${secrets.mysql.port} 63 database_user: ${secrets.mysql.user}
64 database_name: ${secrets.mysql.database} 64 database_password: ${secrets.mysql.password}
65 database_user: ${secrets.mysql.user} 65 database_server_version: ${pkgs.mariadb.mysqlVersion}
66 database_password: ${secrets.mysql.password} 66 mailer_transport: smtp
67 database_server_version: ${pkgs.mariadb.mysqlVersion} 67 mailer_host: 127.0.0.1
68 mailer_transport: smtp 68 mailer_user: null
69 mailer_host: 127.0.0.1 69 mailer_password: null
70 mailer_user: null 70 secret: ${secrets.secret}
71 mailer_password: null 71 ldap_host: ldap.immae.eu
72 secret: ${secrets.secret} 72 ldap_port: 636
73 ldap_host: ldap.immae.eu 73 ldap_version: 3
74 ldap_port: 636 74 ldap_ssl: true
75 ldap_version: 3 75 ldap_tls: false
76 ldap_ssl: true 76 ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
77 ldap_tls: false 77 ldap_base_dn: 'dc=immae,dc=eu'
78 ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' 78 ldap_search_dn: '${secrets.ldap.dn}'
79 ldap_base_dn: 'dc=immae,dc=eu' 79 ldap_search_password: '${secrets.ldap.password}'
80 ldap_search_dn: '${secrets.ldap.dn}' 80 ldap_search_filter: '${secrets.ldap.filter}'
81 ldap_search_password: '${secrets.ldap.password}' 81 leapt_im:
82 ldap_search_filter: '${secrets.ldap.filter}' 82 binary_path: ${pkgs.imagemagick}/bin
83 leapt_im: 83 assetic:
84 binary_path: ${pkgs.imagemagick}/bin 84 sass: ${pkgs.sass}/bin/sass
85 assetic: 85 ruby: ${pkgs.ruby}/bin/ruby
86 sass: ${pkgs.sass}/bin/sass 86 '';
87 ruby: ${pkgs.ruby}/bin/ruby 87 };
88 '';
89 }
90 ];
91 88
92 services.websites.env.integration.vhostConfs.ludivine_integration = { 89 services.websites.env.integration.vhostConfs.ludivine_integration = {
93 certName = "integration"; 90 certName = "integration";
diff --git a/modules/private/websites/ludivine/production.nix b/modules/private/websites/ludivine/production.nix
index 3a9895d..73b63a2 100644
--- a/modules/private/websites/ludivine/production.nix
+++ b/modules/private/websites/ludivine/production.nix
@@ -53,44 +53,41 @@ in {
53 phpPackage = pkgs.php72; 53 phpPackage = pkgs.php72;
54 }; 54 };
55 55
56 secrets.keys = [ 56 secrets.keys."websites/ludivine/production" = {
57 { 57 user = config.services.httpd.Prod.user;
58 dest = "websites/ludivine/production"; 58 group = config.services.httpd.Prod.group;
59 user = config.services.httpd.Prod.user; 59 permissions = "0400";
60 group = config.services.httpd.Prod.group; 60 text = ''
61 permissions = "0400"; 61 # This file is auto-generated during the composer install
62 text = '' 62 parameters:
63 # This file is auto-generated during the composer install 63 database_host: ${secrets.mysql.host}
64 parameters: 64 database_port: ${secrets.mysql.port}
65 database_host: ${secrets.mysql.host} 65 database_name: ${secrets.mysql.database}
66 database_port: ${secrets.mysql.port} 66 database_user: ${secrets.mysql.user}
67 database_name: ${secrets.mysql.database} 67 database_password: ${secrets.mysql.password}
68 database_user: ${secrets.mysql.user} 68 database_server_version: ${pkgs.mariadb.mysqlVersion}
69 database_password: ${secrets.mysql.password} 69 mailer_transport: smtp
70 database_server_version: ${pkgs.mariadb.mysqlVersion} 70 mailer_host: 127.0.0.1
71 mailer_transport: smtp 71 mailer_user: null
72 mailer_host: 127.0.0.1 72 mailer_password: null
73 mailer_user: null 73 secret: ${secrets.secret}
74 mailer_password: null 74 ldap_host: ldap.immae.eu
75 secret: ${secrets.secret} 75 ldap_port: 636
76 ldap_host: ldap.immae.eu 76 ldap_version: 3
77 ldap_port: 636 77 ldap_ssl: true
78 ldap_version: 3 78 ldap_tls: false
79 ldap_ssl: true 79 ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
80 ldap_tls: false 80 ldap_base_dn: 'dc=immae,dc=eu'
81 ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' 81 ldap_search_dn: '${secrets.ldap.dn}'
82 ldap_base_dn: 'dc=immae,dc=eu' 82 ldap_search_password: '${secrets.ldap.password}'
83 ldap_search_dn: '${secrets.ldap.dn}' 83 ldap_search_filter: '${secrets.ldap.filter}'
84 ldap_search_password: '${secrets.ldap.password}' 84 leapt_im:
85 ldap_search_filter: '${secrets.ldap.filter}' 85 binary_path: ${pkgs.imagemagick}/bin
86 leapt_im: 86 assetic:
87 binary_path: ${pkgs.imagemagick}/bin 87 sass: ${pkgs.sass}/bin/sass
88 assetic: 88 ruby: ${pkgs.ruby}/bin/ruby
89 sass: ${pkgs.sass}/bin/sass 89 '';
90 ruby: ${pkgs.ruby}/bin/ruby 90 };
91 '';
92 }
93 ];
94 91
95 services.websites.env.production.vhostConfs.ludivine_production = { 92 services.websites.env.production.vhostConfs.ludivine_production = {
96 certName = "ludivine"; 93 certName = "ludivine";
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
index dc98900..f501eba 100644
--- a/modules/private/websites/piedsjaloux/integration.nix
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -52,32 +52,29 @@ in {
52 phpPackage = pkgs.php72; 52 phpPackage = pkgs.php72;
53 }; 53 };
54 54
55 secrets.keys = [ 55 secrets.keys."websites/piedsjaloux/integration" = {
56 { 56 user = config.services.httpd.Inte.user;
57 dest = "websites/piedsjaloux/integration"; 57 group = config.services.httpd.Inte.group;
58 user = config.services.httpd.Inte.user; 58 permissions = "0400";
59 group = config.services.httpd.Inte.group; 59 text = ''
60 permissions = "0400"; 60 # This file is auto-generated during the composer install
61 text = '' 61 parameters:
62 # This file is auto-generated during the composer install 62 database_host: ${secrets.mysql.host}
63 parameters: 63 database_port: ${secrets.mysql.port}
64 database_host: ${secrets.mysql.host} 64 database_name: ${secrets.mysql.database}
65 database_port: ${secrets.mysql.port} 65 database_user: ${secrets.mysql.user}
66 database_name: ${secrets.mysql.database} 66 database_password: ${secrets.mysql.password}
67 database_user: ${secrets.mysql.user} 67 database_server_version: ${pkgs.mariadb.mysqlVersion}
68 database_password: ${secrets.mysql.password} 68 mailer_transport: smtp
69 database_server_version: ${pkgs.mariadb.mysqlVersion} 69 mailer_host: 127.0.0.1
70 mailer_transport: smtp 70 mailer_user: null
71 mailer_host: 127.0.0.1 71 mailer_password: null
72 mailer_user: null 72 secret: ${secrets.secret}
73 mailer_password: null 73 pdflatex: "${texlive}/bin/pdflatex"
74 secret: ${secrets.secret} 74 leapt_im:
75 pdflatex: "${texlive}/bin/pdflatex" 75 binary_path: ${pkgs.imagemagick}/bin
76 leapt_im: 76 '';
77 binary_path: ${pkgs.imagemagick}/bin 77 };
78 '';
79 }
80 ];
81 78
82 services.websites.env.integration.vhostConfs.piedsjaloux_integration = { 79 services.websites.env.integration.vhostConfs.piedsjaloux_integration = {
83 certName = "integration"; 80 certName = "integration";
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index e12b046..fed5a0f 100644
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -55,32 +55,29 @@ in {
55 phpPackage = pkgs.php72; 55 phpPackage = pkgs.php72;
56 }; 56 };
57 57
58 secrets.keys = [ 58 secrets.keys."websites/piedsjaloux/production" = {
59 { 59 user = config.services.httpd.Prod.user;
60 dest = "websites/piedsjaloux/production"; 60 group = config.services.httpd.Prod.group;
61 user = config.services.httpd.Prod.user; 61 permissions = "0400";
62 group = config.services.httpd.Prod.group; 62 text = ''
63 permissions = "0400"; 63 # This file is auto-generated during the composer install
64 text = '' 64 parameters:
65 # This file is auto-generated during the composer install 65 database_host: ${secrets.mysql.host}
66 parameters: 66 database_port: ${secrets.mysql.port}
67 database_host: ${secrets.mysql.host} 67 database_name: ${secrets.mysql.database}
68 database_port: ${secrets.mysql.port} 68 database_user: ${secrets.mysql.user}
69 database_name: ${secrets.mysql.database} 69 database_password: ${secrets.mysql.password}
70 database_user: ${secrets.mysql.user} 70 database_server_version: ${pkgs.mariadb.mysqlVersion}
71 database_password: ${secrets.mysql.password} 71 mailer_transport: smtp
72 database_server_version: ${pkgs.mariadb.mysqlVersion} 72 mailer_host: 127.0.0.1
73 mailer_transport: smtp 73 mailer_user: null
74 mailer_host: 127.0.0.1 74 mailer_password: null
75 mailer_user: null 75 secret: ${secrets.secret}
76 mailer_password: null 76 pdflatex: "${texlive}/bin/pdflatex"
77 secret: ${secrets.secret} 77 leapt_im:
78 pdflatex: "${texlive}/bin/pdflatex" 78 binary_path: ${pkgs.imagemagick}/bin
79 leapt_im: 79 '';
80 binary_path: ${pkgs.imagemagick}/bin 80 };
81 '';
82 }
83 ];
84 81
85 services.websites.env.production.vhostConfs.piedsjaloux_production = { 82 services.websites.env.production.vhostConfs.piedsjaloux_production = {
86 certName = "piedsjaloux"; 83 certName = "piedsjaloux";
diff --git a/modules/private/websites/richie/production.nix b/modules/private/websites/richie/production.nix
index 2d85175..3efa9f0 100644
--- a/modules/private/websites/richie/production.nix
+++ b/modules/private/websites/richie/production.nix
@@ -29,8 +29,7 @@ in
29 services.duplyBackup.profiles.richie_production.remotes = ["eriomem" "ovh"]; 29 services.duplyBackup.profiles.richie_production.remotes = ["eriomem" "ovh"];
30 services.webstats.sites = [ { name = "europe-richie.org"; } ]; 30 services.webstats.sites = [ { name = "europe-richie.org"; } ];
31 31
32 secrets.keys = [{ 32 secrets.keys."websites/richie/production" = {
33 dest = "websites/richie/production";
34 user = apacheUser; 33 user = apacheUser;
35 group = apacheGroup; 34 group = apacheGroup;
36 permissions = "0400"; 35 permissions = "0400";
@@ -48,7 +47,7 @@ in
48 $smtp_mailer->Auth('${smtp_mailer.user}', '${smtp_mailer.password}'); 47 $smtp_mailer->Auth('${smtp_mailer.user}', '${smtp_mailer.password}');
49 ?> 48 ?>
50 ''; 49 '';
51 }]; 50 };
52 services.websites.webappDirs.richie_production = richieSrc; 51 services.websites.webappDirs.richie_production = richieSrc;
53 system.activationScripts.richie_production = { 52 system.activationScripts.richie_production = {
54 deps = [ "httpd" ]; 53 deps = [ "httpd" ];
diff --git a/modules/private/websites/syden/peertube.nix b/modules/private/websites/syden/peertube.nix
index aa465d7..4036eac 100644
--- a/modules/private/websites/syden/peertube.nix
+++ b/modules/private/websites/syden/peertube.nix
@@ -23,8 +23,7 @@ in
23 }; 23 };
24 users.groups.peertube.gid = config.ids.gids.peertube; 24 users.groups.peertube.gid = config.ids.gids.peertube;
25 25
26 secrets.keys = [{ 26 secrets.keys."websites/syden/peertube" = {
27 dest = "websites/syden/peertube";
28 user = "peertube"; 27 user = "peertube";
29 group = "peertube"; 28 group = "peertube";
30 permissions = "0640"; 29 permissions = "0640";
@@ -67,7 +66,7 @@ in
67 plugins: '${dataDir}/storage/plugins/' 66 plugins: '${dataDir}/storage/plugins/'
68 client_overrides: '${dataDir}/storage/client-overrides/' 67 client_overrides: '${dataDir}/storage/client-overrides/'
69 ''; 68 '';
70 }]; 69 };
71 70
72 services.filesWatcher.syden_peertube = { 71 services.filesWatcher.syden_peertube = {
73 restart = true; 72 restart = true;
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix
index 471858a..fc0aae6 100644
--- a/modules/private/websites/tools/cloud/default.nix
+++ b/modules/private/websites/tools/cloud/default.nix
@@ -73,8 +73,7 @@ in {
73 ]; 73 ];
74 }; 74 };
75 75
76 secrets.keys = [{ 76 secrets.keys."webapps/tools-nextcloud" = {
77 dest = "webapps/tools-nextcloud";
78 user = "wwwrun"; 77 user = "wwwrun";
79 group = "wwwrun"; 78 group = "wwwrun";
80 permissions = "0600"; 79 permissions = "0600";
@@ -133,7 +132,7 @@ in {
133 'has_rebuilt_cache' => true, 132 'has_rebuilt_cache' => true,
134 ); 133 );
135 ''; 134 '';
136 }]; 135 };
137 users.users.root.packages = let 136 users.users.root.packages = let
138 occ = pkgs.writeScriptBin "nextcloud-occ" '' 137 occ = pkgs.writeScriptBin "nextcloud-occ" ''
139 #! ${pkgs.stdenv.shell} 138 #! ${pkgs.stdenv.shell}
diff --git a/modules/private/websites/tools/commento/default.nix b/modules/private/websites/tools/commento/default.nix
index d0e7d24..c36255b 100644
--- a/modules/private/websites/tools/commento/default.nix
+++ b/modules/private/websites/tools/commento/default.nix
@@ -12,10 +12,9 @@ in
12 enable = lib.mkEnableOption "Enable commento website"; 12 enable = lib.mkEnableOption "Enable commento website";
13 }; 13 };
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 secrets.keys = [ 15 secrets.keys = {
16 { 16 "commento/env" = {
17 dest = "commento/env"; 17 permissions = "0400";
18 permission = "0400";
19 text = '' 18 text = ''
20 COMMENTO_ORIGIN=https://commento.immae.eu/ 19 COMMENTO_ORIGIN=https://commento.immae.eu/
21 COMMENTO_PORT=${port} 20 COMMENTO_PORT=${port}
@@ -29,8 +28,8 @@ in
29 COMMENTO_SMTP_PASSWORD=${env.smtp.password} 28 COMMENTO_SMTP_PASSWORD=${env.smtp.password}
30 COMMENTO_SMTP_FROM_ADDRESS=${env.smtp.email} 29 COMMENTO_SMTP_FROM_ADDRESS=${env.smtp.email}
31 ''; 30 '';
32 } 31 };
33 ]; 32 };
34 33
35 services.websites.env.tools.vhostConfs.commento = { 34 services.websites.env.tools.vhostConfs.commento = {
36 certName = "eldiron"; 35 certName = "eldiron";
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix
index eeac1b5..9e4056a 100644
--- a/modules/private/websites/tools/dav/davical.nix
+++ b/modules/private/websites/tools/dav/davical.nix
@@ -6,8 +6,7 @@ rec {
6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical 6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
7 ''; 7 '';
8 }; 8 };
9 keys = [{ 9 keys."webapps/dav-davical" = {
10 dest = "webapps/dav-davical";
11 user = apache.user; 10 user = apache.user;
12 group = apache.group; 11 group = apache.group;
13 permissions = "0400"; 12 permissions = "0400";
@@ -64,7 +63,7 @@ rec {
64 $c->do_not_sync_from_ldap = array('admin' => true); 63 $c->do_not_sync_from_ldap = array('admin' => true);
65 include('drivers_ldap.php'); 64 include('drivers_ldap.php');
66 ''; 65 '';
67 }]; 66 };
68 webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; }; 67 webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; };
69 webRoot = "${webapp}/htdocs"; 68 webRoot = "${webapp}/htdocs";
70 apache = rec { 69 apache = rec {
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix
index 663fe88..9119ead 100644
--- a/modules/private/websites/tools/diaspora/default.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -16,16 +16,14 @@ in {
16 }; 16 };
17 users.users.diaspora.extraGroups = [ "keys" ]; 17 users.users.diaspora.extraGroups = [ "keys" ];
18 18
19 secrets.keys = [ 19 secrets.keys = {
20 { 20 "webapps/diaspora" = {
21 dest = "webapps/diaspora";
22 isDir = true; 21 isDir = true;
23 user = "diaspora"; 22 user = "diaspora";
24 group = "diaspora"; 23 group = "diaspora";
25 permissions = "0500"; 24 permissions = "0500";
26 } 25 };
27 { 26 "webapps/diaspora/diaspora.yml" = {
28 dest = "webapps/diaspora/diaspora.yml";
29 user = "diaspora"; 27 user = "diaspora";
30 group = "diaspora"; 28 group = "diaspora";
31 permissions = "0400"; 29 permissions = "0400";
@@ -102,9 +100,8 @@ in {
102 development: 100 development:
103 environment: 101 environment:
104 ''; 102 '';
105 } 103 };
106 { 104 "webapps/diaspora/database.yml" = {
107 dest = "webapps/diaspora/database.yml";
108 user = "diaspora"; 105 user = "diaspora";
109 group = "diaspora"; 106 group = "diaspora";
110 permissions = "0400"; 107 permissions = "0400";
@@ -136,17 +133,16 @@ in {
136 <<: *combined 133 <<: *combined
137 database: diaspora_integration2 134 database: diaspora_integration2
138 ''; 135 '';
139 } 136 };
140 { 137 "webapps/diaspora/secret_token.rb" = {
141 dest = "webapps/diaspora/secret_token.rb";
142 user = "diaspora"; 138 user = "diaspora";
143 group = "diaspora"; 139 group = "diaspora";
144 permissions = "0400"; 140 permissions = "0400";
145 text = '' 141 text = ''
146 Diaspora::Application.config.secret_key_base = '${env.secret_token}' 142 Diaspora::Application.config.secret_key_base = '${env.secret_token}'
147 ''; 143 '';
148 } 144 };
149 ]; 145 };
150 146
151 services.diaspora = { 147 services.diaspora = {
152 enable = true; 148 enable = true;
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix
index 64e411d..d5c65a9 100644
--- a/modules/private/websites/tools/ether/default.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -15,19 +15,16 @@ in {
15 services.duplyBackup.profiles.etherpad-lite = { 15 services.duplyBackup.profiles.etherpad-lite = {
16 rootDir = "/var/lib/private/etherpad-lite"; 16 rootDir = "/var/lib/private/etherpad-lite";
17 }; 17 };
18 secrets.keys = [ 18 secrets.keys = {
19 { 19 "webapps/tools-etherpad-apikey" = {
20 dest = "webapps/tools-etherpad-apikey";
21 permissions = "0400"; 20 permissions = "0400";
22 text = env.api_key; 21 text = env.api_key;
23 } 22 };
24 { 23 "webapps/tools-etherpad-sessionkey" = {
25 dest = "webapps/tools-etherpad-sessionkey";
26 permissions = "0400"; 24 permissions = "0400";
27 text = env.session_key; 25 text = env.session_key;
28 } 26 };
29 { 27 "webapps/tools-etherpad" = {
30 dest = "webapps/tools-etherpad";
31 permissions = "0400"; 28 permissions = "0400";
32 text = '' 29 text = ''
33 { 30 {
@@ -152,8 +149,8 @@ in {
152 "logconfig" : { "appenders": [ { "type": "console" } ] } 149 "logconfig" : { "appenders": [ { "type": "console" } ] }
153 } 150 }
154 ''; 151 '';
155 } 152 };
156 ]; 153 };
157 services.etherpad-lite = { 154 services.etherpad-lite = {
158 enable = true; 155 enable = true;
159 package = pkgs.webapps.etherpad-lite.withModules (p: [ 156 package = pkgs.webapps.etherpad-lite.withModules (p: [
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix
index e6a8da7..033a651 100644
--- a/modules/private/websites/tools/git/mantisbt.nix
+++ b/modules/private/websites/tools/git/mantisbt.nix
@@ -6,8 +6,7 @@ rec {
6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt 6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt
7 ''; 7 '';
8 }; 8 };
9 keys = [{ 9 keys."webapps/tools-mantisbt" = {
10 dest = "webapps/tools-mantisbt";
11 user = apache.user; 10 user = apache.user;
12 group = apache.group; 11 group = apache.group;
13 permissions = "0400"; 12 permissions = "0400";
@@ -45,7 +44,7 @@ rec {
45 $g_ldap_realname_field = 'cn'; 44 $g_ldap_realname_field = 'cn';
46 $g_ldap_organization = '${env.ldap.filter}'; 45 $g_ldap_organization = '${env.ldap.filter}';
47 ''; 46 '';
48 }]; 47 };
49 webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); 48 webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]);
50 apache = rec { 49 apache = rec {
51 user = "wwwrun"; 50 user = "wwwrun";
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix
index 7d8e733..92de28e 100644
--- a/modules/private/websites/tools/mail/roundcubemail.nix
+++ b/modules/private/websites/tools/mail/roundcubemail.nix
@@ -9,8 +9,7 @@ rec {
9 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions 9 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
10 ''; 10 '';
11 }; 11 };
12 keys = [{ 12 keys."webapps/tools-roundcube" = {
13 dest = "webapps/tools-roundcube";
14 user = apache.user; 13 user = apache.user;
15 group = apache.group; 14 group = apache.group;
16 permissions = "0400"; 15 permissions = "0400";
@@ -74,7 +73,7 @@ rec {
74 $config['temp_dir'] = '${varDir}/cache'; 73 $config['temp_dir'] = '${varDir}/cache';
75 $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; 74 $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
76 ''; 75 '';
77 }]; 76 };
78 webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); 77 webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]);
79 apache = rec { 78 apache = rec {
80 user = "wwwrun"; 79 user = "wwwrun";
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
index cea8710..87e8d72 100644
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -13,8 +13,7 @@ in {
13 services.duplyBackup.profiles.mastodon = { 13 services.duplyBackup.profiles.mastodon = {
14 rootDir = mcfg.dataDir; 14 rootDir = mcfg.dataDir;
15 }; 15 };
16 secrets.keys = [{ 16 secrets.keys."webapps/tools-mastodon" = {
17 dest = "webapps/tools-mastodon";
18 user = "mastodon"; 17 user = "mastodon";
19 group = "mastodon"; 18 group = "mastodon";
20 permissions = "0400"; 19 permissions = "0400";
@@ -59,7 +58,7 @@ in {
59 LDAP_UID="uid" 58 LDAP_UID="uid"
60 LDAP_SEARCH_FILTER="${env.ldap.filter}" 59 LDAP_SEARCH_FILTER="${env.ldap.filter}"
61 ''; 60 '';
62 }]; 61 };
63 services.mastodon = { 62 services.mastodon = {
64 enable = true; 63 enable = true;
65 configFile = config.secrets.fullPaths."webapps/tools-mastodon"; 64 configFile = config.secrets.fullPaths."webapps/tools-mastodon";
diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix
index 6d6a5a4..f6cba4a 100644
--- a/modules/private/websites/tools/mgoblin/default.nix
+++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -12,8 +12,7 @@ in {
12 services.duplyBackup.profiles.mgoblin = { 12 services.duplyBackup.profiles.mgoblin = {
13 rootDir = mcfg.dataDir; 13 rootDir = mcfg.dataDir;
14 }; 14 };
15 secrets.keys = [{ 15 secrets.keys."webapps/tools-mediagoblin" = {
16 dest = "webapps/tools-mediagoblin";
17 user = "mediagoblin"; 16 user = "mediagoblin";
18 group = "mediagoblin"; 17 group = "mediagoblin";
19 permissions = "0400"; 18 permissions = "0400";
@@ -77,7 +76,7 @@ in {
77 [[mediagoblin.media_types.image]] 76 [[mediagoblin.media_types.image]]
78 [[mediagoblin.media_types.video]] 77 [[mediagoblin.media_types.video]]
79 ''; 78 '';
80 }]; 79 };
81 80
82 users.users.mediagoblin.extraGroups = [ "keys" ]; 81 users.users.mediagoblin.extraGroups = [ "keys" ];
83 82
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix
index 7dcc998..daeeb1f 100644
--- a/modules/private/websites/tools/peertube/default.nix
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -18,8 +18,7 @@ in {
18 }; 18 };
19 users.users.peertube.extraGroups = [ "keys" ]; 19 users.users.peertube.extraGroups = [ "keys" ];
20 20
21 secrets.keys = [{ 21 secrets.keys."webapps/tools-peertube" = {
22 dest = "webapps/tools-peertube";
23 user = "peertube"; 22 user = "peertube";
24 group = "peertube"; 23 group = "peertube";
25 permissions = "0640"; 24 permissions = "0640";
@@ -62,7 +61,7 @@ in {
62 plugins: '${pcfg.dataDir}/storage/plugins/' 61 plugins: '${pcfg.dataDir}/storage/plugins/'
63 client_overrides: '${pcfg.dataDir}/storage/client-overrides/' 62 client_overrides: '${pcfg.dataDir}/storage/client-overrides/'
64 ''; 63 '';
65 }]; 64 };
66 65
67 services.websites.env.tools.modules = [ 66 services.websites.env.tools.modules = [
68 "headers" "proxy" "proxy_http" "proxy_wstunnel" 67 "headers" "proxy" "proxy_http" "proxy_wstunnel"
diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix
index 5afd639..5715ff0 100644
--- a/modules/private/websites/tools/performance/default.nix
+++ b/modules/private/websites/tools/performance/default.nix
@@ -11,9 +11,8 @@ in
11 }; 11 };
12 12
13 config = lib.mkIf cfg.enable { 13 config = lib.mkIf cfg.enable {
14 secrets.keys = [ 14 secrets.keys = {
15 { 15 status_engine_ui = {
16 dest = "status_engine_ui";
17 permissions = "0400"; 16 permissions = "0400";
18 user = "wwwrun"; 17 user = "wwwrun";
19 group = "wwwrun"; 18 group = "wwwrun";
@@ -44,8 +43,8 @@ in
44 display_perfdata: 1 43 display_perfdata: 1
45 perfdata_backend: mysql 44 perfdata_backend: mysql
46 ''; 45 '';
47 } 46 };
48 ]; 47 };
49 48
50 services.websites.env.tools.modules = [ "proxy_fcgi" ]; 49 services.websites.env.tools.modules = [ "proxy_fcgi" ];
51 50
diff --git a/modules/private/websites/tools/stats/default.nix b/modules/private/websites/tools/stats/default.nix
index 5f184bc..71e31a3 100644
--- a/modules/private/websites/tools/stats/default.nix
+++ b/modules/private/websites/tools/stats/default.nix
@@ -6,9 +6,8 @@ in
6{ 6{
7 options.myServices.websites.tools.stats.enable = lib.mkEnableOption "Enable stats site"; 7 options.myServices.websites.tools.stats.enable = lib.mkEnableOption "Enable stats site";
8 config = lib.mkIf cfg.enable { 8 config = lib.mkIf cfg.enable {
9 secrets.keys = [ 9 secrets.keys = {
10 { 10 "uami/env" = {
11 dest = "umami/env";
12 permission = "0400"; 11 permission = "0400";
13 text = '' 12 text = ''
14 PORT=${toString myCfg.listenPort} 13 PORT=${toString myCfg.listenPort}
@@ -16,8 +15,8 @@ in
16 DATABASE_URL=postgresql://${myCfg.postgresql.user}:${myCfg.postgresql.password}@localhost:${myCfg.postgresql.port}/${myCfg.postgresql.database}?sslmode=disable&host=${myCfg.postgresql.socket} 15 DATABASE_URL=postgresql://${myCfg.postgresql.user}:${myCfg.postgresql.password}@localhost:${myCfg.postgresql.port}/${myCfg.postgresql.database}?sslmode=disable&host=${myCfg.postgresql.socket}
17 HASH_SALT=${myCfg.hashSalt} 16 HASH_SALT=${myCfg.hashSalt}
18 ''; 17 '';
19 } 18 };
20 ]; 19 };
21 20
22 services.websites.env.tools.vhostConfs.stats = { 21 services.websites.env.tools.vhostConfs.stats = {
23 certName = "eldiron"; 22 certName = "eldiron";
diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix
index 4660251..9b3f0cf 100644
--- a/modules/private/websites/tools/tools/csp_reports.nix
+++ b/modules/private/websites/tools/tools/csp_reports.nix
@@ -1,12 +1,11 @@
1{ env }: 1{ env }:
2rec { 2rec {
3 keys = [{ 3 keys."webapps/tools-csp-reports.conf" = {
4 dest = "webapps/tools-csp-reports.conf";
5 user = "wwwrun"; 4 user = "wwwrun";
6 group = "wwwrun"; 5 group = "wwwrun";
7 permissions = "0400"; 6 permissions = "0400";
8 text = with env.postgresql; '' 7 text = with env.postgresql; ''
9 env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}" 8 env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}"
10 ''; 9 '';
11 }]; 10 };
12} 11}
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index ada6253..1f499fb 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -83,14 +83,14 @@ in {
83 config = lib.mkIf cfg.enable { 83 config = lib.mkIf cfg.enable {
84 secrets.keys = 84 secrets.keys =
85 kanboard.keys 85 kanboard.keys
86 ++ ldap.keys 86 // ldap.keys
87 ++ shaarli.keys 87 // shaarli.keys
88 ++ ttrss.keys 88 // ttrss.keys
89 ++ wallabag.keys 89 // wallabag.keys
90 ++ yourls.keys 90 // yourls.keys
91 ++ dmarc-reports.keys 91 // dmarc-reports.keys
92 ++ csp-reports.keys 92 // csp-reports.keys
93 ++ webhooks.keys; 93 // webhooks.keys;
94 94
95 services.duplyBackup.profiles = { 95 services.duplyBackup.profiles = {
96 dokuwiki = dokuwiki.backups; 96 dokuwiki = dokuwiki.backups;
diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix
index 5fdf0b6..89da246 100644
--- a/modules/private/websites/tools/tools/dmarc_reports.nix
+++ b/modules/private/websites/tools/tools/dmarc_reports.nix
@@ -1,7 +1,6 @@
1{ env, config }: 1{ env, config }:
2rec { 2rec {
3 keys = [{ 3 keys."webapps/tools-dmarc-reports.php" = {
4 dest = "webapps/tools-dmarc-reports.php";
5 user = "wwwrun"; 4 user = "wwwrun";
6 group = "wwwrun"; 5 group = "wwwrun";
7 permissions = "0400"; 6 permissions = "0400";
@@ -15,7 +14,7 @@ rec {
15 $anonymous_key = "${env.anonymous_key}"; 14 $anonymous_key = "${env.anonymous_key}";
16 ?> 15 ?>
17 ''; 16 '';
18 }]; 17 };
19 webRoot = ./dmarc_reports; 18 webRoot = ./dmarc_reports;
20 apache = rec { 19 apache = rec {
21 user = "wwwrun"; 20 user = "wwwrun";
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix
index 1a70499..b2e7b65 100644
--- a/modules/private/websites/tools/tools/kanboard.nix
+++ b/modules/private/websites/tools/tools/kanboard.nix
@@ -13,8 +13,7 @@ rec {
13 install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config 13 install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
14 ''; 14 '';
15 }; 15 };
16 keys = [{ 16 keys."webapps/tools-kanboard" = {
17 dest = "webapps/tools-kanboard";
18 user = apache.user; 17 user = apache.user;
19 group = apache.group; 18 group = apache.group;
20 permissions = "0400"; 19 permissions = "0400";
@@ -41,7 +40,7 @@ rec {
41 define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}'); 40 define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}');
42 ?> 41 ?>
43 ''; 42 '';
44 }]; 43 };
45 webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; }; 44 webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; };
46 apache = rec { 45 apache = rec {
47 user = "wwwrun"; 46 user = "wwwrun";
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix
index cb90edc..14920f4 100644
--- a/modules/private/websites/tools/tools/ldap.nix
+++ b/modules/private/websites/tools/tools/ldap.nix
@@ -6,8 +6,7 @@ rec {
6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin 6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin
7 ''; 7 '';
8 }; 8 };
9 keys = [{ 9 keys."webapps/tools-ldap" = {
10 dest = "webapps/tools-ldap";
11 user = apache.user; 10 user = apache.user;
12 group = apache.group; 11 group = apache.group;
13 permissions = "0400"; 12 permissions = "0400";
@@ -31,7 +30,7 @@ rec {
31 $servers->setValue('login','attr','uid'); 30 $servers->setValue('login','attr','uid');
32 $servers->setValue('login','fallback_dn',true); 31 $servers->setValue('login','fallback_dn',true);
33 ''; 32 '';
34 }]; 33 };
35 webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; 34 webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
36 apache = rec { 35 apache = rec {
37 user = "wwwrun"; 36 user = "wwwrun";
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix
index 80c6a89..b7126cc 100644
--- a/modules/private/websites/tools/tools/shaarli.nix
+++ b/modules/private/websites/tools/tools/shaarli.nix
@@ -38,8 +38,7 @@ in rec {
38 </Directory> 38 </Directory>
39 ''; 39 '';
40 }; 40 };
41 keys = [{ 41 keys."webapps/tools-shaarli" = {
42 dest = "webapps/tools-shaarli";
43 user = apache.user; 42 user = apache.user;
44 group = apache.group; 43 group = apache.group;
45 permissions = "0400"; 44 permissions = "0400";
@@ -50,7 +49,7 @@ in rec {
50 SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" 49 SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}"
51 SetEnv SHAARLI_LDAP_FILTER "${env.ldap.filter}" 50 SetEnv SHAARLI_LDAP_FILTER "${env.ldap.filter}"
52 ''; 51 '';
53 }]; 52 };
54 phpFpm = rec { 53 phpFpm = rec {
55 serviceDeps = [ "openldap.service" ]; 54 serviceDeps = [ "openldap.service" ];
56 basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; 55 basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix
index eb1d415..f6abae9 100644
--- a/modules/private/websites/tools/tools/ttrss.nix
+++ b/modules/private/websites/tools/tools/ttrss.nix
@@ -19,8 +19,7 @@ rec {
19 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions 19 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
20 ''; 20 '';
21 }; 21 };
22 keys = [{ 22 keys."webapps/tools-ttrss" = {
23 dest = "webapps/tools-ttrss";
24 user = apache.user; 23 user = apache.user;
25 group = apache.group; 24 group = apache.group;
26 permissions = "0400"; 25 permissions = "0400";
@@ -87,7 +86,7 @@ rec {
87 define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); 86 define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
88 define('LDAP_AUTH_DEBUG', FALSE); 87 define('LDAP_AUTH_DEBUG', FALSE);
89 ''; 88 '';
90 }]; 89 };
91 webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [ 90 webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [
92 p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua 91 p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua
93 (p.af_feedmod.override { patched = true; }) 92 (p.af_feedmod.override { patched = true; })
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix
index 1a604c7..b6ad151 100644
--- a/modules/private/websites/tools/tools/wallabag.nix
+++ b/modules/private/websites/tools/tools/wallabag.nix
@@ -5,8 +5,7 @@ rec {
5 remotes = [ "eriomem" "ovh" ]; 5 remotes = [ "eriomem" "ovh" ];
6 }; 6 };
7 varDir = "/var/lib/wallabag"; 7 varDir = "/var/lib/wallabag";
8 keys = [{ 8 keys."webapps/tools-wallabag" = {
9 dest = "webapps/tools-wallabag";
10 user = apache.user; 9 user = apache.user;
11 group = apache.group; 10 group = apache.group;
12 permissions = "0400"; 11 permissions = "0400";
@@ -68,7 +67,7 @@ rec {
68 class: Swift_SendmailTransport 67 class: Swift_SendmailTransport
69 arguments: ['/run/wrappers/bin/sendmail -bs'] 68 arguments: ['/run/wrappers/bin/sendmail -bs']
70 ''; 69 '';
71 }]; 70 };
72 webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; }; 71 webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; };
73 activationScript = '' 72 activationScript = ''
74 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ 73 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix
index 8ffb81b..785e22b 100644
--- a/modules/private/websites/tools/tools/webhooks.nix
+++ b/modules/private/websites/tools/tools/webhooks.nix
@@ -1,16 +1,17 @@
1{ lib, env }: 1{ lib, env }:
2{ 2{
3 keys = lib.attrsets.mapAttrsToList (k: v: { 3 keys = lib.attrsets.mapAttrs' (k: v:
4 dest = "webapps/webhooks/${k}.php"; 4 lib.nameValuePair "webapps/webhooks/${k}.php" {
5 user = "wwwrun"; 5 user = "wwwrun";
6 group = "wwwrun"; 6 group = "wwwrun";
7 permissions = "0400"; 7 permissions = "0400";
8 text = v; 8 text = v;
9 }) env ++ [{ 9 }) env // {
10 dest = "webapps/webhooks"; 10 "webapps/webhooks" = {
11 isDir = true; 11 isDir = true;
12 user = "wwwrun"; 12 user = "wwwrun";
13 group = "wwwrun"; 13 group = "wwwrun";
14 permissions = "0500"; 14 permissions = "0500";
15 }]; 15 };
16 };
16} 17}
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix
index 0f977f2..01ef548 100644
--- a/modules/private/websites/tools/tools/yourls.nix
+++ b/modules/private/websites/tools/tools/yourls.nix
@@ -6,8 +6,7 @@ rec {
6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls 6 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
7 ''; 7 '';
8 }; 8 };
9 keys = [{ 9 keys."webapps/tools-yourls" = {
10 dest = "webapps/tools-yourls";
11 user = apache.user; 10 user = apache.user;
12 group = apache.group; 11 group = apache.group;
13 permissions = "0400"; 12 permissions = "0400";
@@ -39,7 +38,7 @@ rec {
39 38
40 define( 'LDAPAUTH_USERCACHE_TYPE', 0); 39 define( 'LDAPAUTH_USERCACHE_TYPE', 0);
41 ''; 40 '';
42 }]; 41 };
43 webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); 42 webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]);
44 apache = rec { 43 apache = rec {
45 user = "wwwrun"; 44 user = "wwwrun";
diff --git a/modules/zrepl.nix b/modules/zrepl.nix
index cb74082..5bcc17b 100644
--- a/modules/zrepl.nix
+++ b/modules/zrepl.nix
@@ -16,15 +16,14 @@ in
16 }; 16 };
17 17
18 config = lib.mkIf cfg.enable { 18 config = lib.mkIf cfg.enable {
19 secrets.keys = [ 19 secrets.keys = {
20 { 20 "zrepl/zrepl.yml" = {
21 dest = "zrepl/zrepl.yml";
22 permissions = "0400"; 21 permissions = "0400";
23 text = cfg.config; 22 text = cfg.config;
24 user = config.systemd.services.zrepl.serviceConfig.User or "root"; 23 user = config.systemd.services.zrepl.serviceConfig.User or "root";
25 group = config.systemd.services.zrepl.serviceConfig.Group or "root"; 24 group = config.systemd.services.zrepl.serviceConfig.Group or "root";
26 } 25 };
27 ]; 26 };
28 services.filesWatcher.zrepl = { 27 services.filesWatcher.zrepl = {
29 restart = true; 28 restart = true;
30 paths = [ config.secrets.fullPaths."zrepl/zrepl.yml" ]; 29 paths = [ config.secrets.fullPaths."zrepl/zrepl.yml" ];
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 11:53:19 +0000