aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 02:18:59 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 02:18:59 +0200
commit742697c95318d3625298437995e948ee00a00ba5 (patch)
tree322bba0294512d71011efa15b84ef0c2134900a3
parentccdd91a78b1a6ae757db20d757ba8674dd25e0cc (diff)
downloadNix-742697c95318d3625298437995e948ee00a00ba5.tar.gz
Nix-742697c95318d3625298437995e948ee00a00ba5.tar.zst
Nix-742697c95318d3625298437995e948ee00a00ba5.zip
Move ssh ftp and mpd to new secrets
Diffstat
-rw-r--r--nixops/modules/ftp/default.nix7
-rw-r--r--nixops/modules/mpd/default.nix16
-rw-r--r--nixops/modules/ssh/default.nix17
-rw-r--r--nixops/modules/websites/tools/tools/default.nix2
4 files changed, 22 insertions, 20 deletions
diff --git a/nixops/modules/ftp/default.nix b/nixops/modules/ftp/default.nix
index 0409f23..ff067f8 100644
--- a/nixops/modules/ftp/default.nix
+++ b/nixops/modules/ftp/default.nix
@@ -47,7 +47,8 @@
47 install -m 0755 -o ftp -g ftp -d /var/lib/ftp 47 install -m 0755 -o ftp -g ftp -d /var/lib/ftp
48 ''; 48 '';
49 49
50 deployment.keys.pure-ftpd-ldap = { 50 mySecrets.keys = [{
51 dest = "pure-ftpd-ldap";
51 permissions = "0400"; 52 permissions = "0400";
52 user = "ftp"; 53 user = "ftp";
53 group = "ftp"; 54 group = "ftp";
@@ -70,7 +71,7 @@
70 # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid 71 # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
71 LDAPHomeDir immaeFtpDirectory 72 LDAPHomeDir immaeFtpDirectory
72 ''; 73 '';
73 }; 74 }];
74 75
75 systemd.services.pure-ftpd = let 76 systemd.services.pure-ftpd = let
76 configFile = pkgs.writeText "pure-ftpd.conf" '' 77 configFile = pkgs.writeText "pure-ftpd.conf" ''
@@ -88,7 +89,7 @@
88 SyslogFacility ftp 89 SyslogFacility ftp
89 DontResolve yes 90 DontResolve yes
90 MaxIdleTime 15 91 MaxIdleTime 15
91 LDAPConfigFile /run/keys/pure-ftpd-ldap 92 LDAPConfigFile /var/secrets/pure-ftpd-ldap
92 LimitRecursion 10000 8 93 LimitRecursion 10000 8
93 AnonymousCanCreateDirs no 94 AnonymousCanCreateDirs no
94 MaxLoad 4 95 MaxLoad 4
diff --git a/nixops/modules/mpd/default.nix b/nixops/modules/mpd/default.nix
index 2cf37ad..0904732 100644
--- a/nixops/modules/mpd/default.nix
+++ b/nixops/modules/mpd/default.nix
@@ -4,20 +4,22 @@
4 nixpkgs.overlays = [ (self: super: rec { 4 nixpkgs.overlays = [ (self: super: rec {
5 mpd = (self.callPackage ./mpd.nix {}).mpd; 5 mpd = (self.callPackage ./mpd.nix {}).mpd;
6 }) ]; 6 }) ];
7 deployment.keys = { 7 mySecrets.keys = [
8 mpd = { 8 {
9 dest = "mpd";
9 permissions = "0400"; 10 permissions = "0400";
10 text = myconfig.env.mpd.password; 11 text = myconfig.env.mpd.password;
11 }; 12 }
12 mpd-config = { 13 {
14 dest = "mpd-config";
13 permissions = "0400"; 15 permissions = "0400";
14 user = "mpd"; 16 user = "mpd";
15 group = "mpd"; 17 group = "mpd";
16 text = '' 18 text = ''
17 password "${myconfig.env.mpd.password}@read,add,control,admin" 19 password "${myconfig.env.mpd.password}@read,add,control,admin"
18 ''; 20 '';
19 }; 21 }
20 }; 22 ];
21 networking.firewall.allowedTCPPorts = [ 6600 ]; 23 networking.firewall.allowedTCPPorts = [ 6600 ];
22 users.users.mpd.extraGroups = [ "wwwrun" "keys" ]; 24 users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
23 system.activationScripts.mpd = '' 25 system.activationScripts.mpd = ''
@@ -28,7 +30,7 @@
28 network.listenAddress = "any"; 30 network.listenAddress = "any";
29 musicDirectory = myconfig.env.mpd.folder; 31 musicDirectory = myconfig.env.mpd.folder;
30 extraConfig = '' 32 extraConfig = ''
31 include "/run/keys/mpd-config" 33 include "/var/secrets/mpd-config"
32 audio_output { 34 audio_output {
33 type "null" 35 type "null"
34 name "No Output" 36 name "No Output"
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index 924f86e..ece4b9f 100644
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,16 +8,15 @@
8 AuthorizedKeysCommandUser nobody 8 AuthorizedKeysCommandUser nobody
9 ''; 9 '';
10 10
11 deployment.keys = { 11 mySecrets.keys = [{
12 ssh-ldap = { 12 dest = "ssh-ldap";
13 user = "nobody"; 13 user = "nobody";
14 group = "nobody"; 14 group = "nobody";
15 permissions = "0400"; 15 permissions = "0400";
16 text = myconfig.env.sshd.ldap.password; 16 text = myconfig.env.sshd.ldap.password;
17 }; 17 }];
18 };
19 system.activationScripts.sshd = '' 18 system.activationScripts.sshd = ''
20 install -Dm400 -o nobody -g nobody -T /run/keys/ssh-ldap /etc/ssh/ldap_password 19 install -Dm400 -o nobody -g nobody -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
21 ''; 20 '';
22 # ssh is strict about parent directory having correct rights, don't 21 # ssh is strict about parent directory having correct rights, don't
23 # move it in the nix store. 22 # move it in the nix store.
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 1aa70b8..463e059 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -76,7 +76,7 @@ in {
76 description = "Standalone MPD Web GUI written in C"; 76 description = "Standalone MPD Web GUI written in C";
77 wantedBy = [ "multi-user.target" ]; 77 wantedBy = [ "multi-user.target" ];
78 script = '' 78 script = ''
79 export MPD_PASSWORD=$(cat /run/keys/mpd) 79 export MPD_PASSWORD=$(cat /var/secrets/mpd)
80 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody 80 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
81 ''; 81 '';
82 }; 82 };
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-07 10:05:31 +0000