aboutsummaryrefslogtreecommitdiff
path: root/modules/private/databases
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-16 17:40:07 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2021-10-16 20:20:45 +0200
commit4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 (patch)
tree9a7ede9ac3f1899074e9ef568a447f883191d3b5 /modules/private/databases
parentda30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (diff)
downloadNix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.gz
Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.zst
Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.zip
Use attrs for secrets instead of lists
Diffstat (limited to 'modules/private/databases')
-rw-r--r--modules/private/databases/mariadb.nix19
-rw-r--r--modules/private/databases/mariadb_replication.nix24
-rw-r--r--modules/private/databases/openldap/default.nix19
-rw-r--r--modules/private/databases/openldap_replication.nix14
-rw-r--r--modules/private/databases/postgresql.nix14
-rw-r--r--modules/private/databases/postgresql_replication.nix19
-rw-r--r--modules/private/databases/redis.nix14
-rw-r--r--modules/private/databases/redis_replication.nix14
8 files changed, 58 insertions, 79 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 75ea747..101eb3f 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -121,9 +121,8 @@ in {
121 ''; 121 '';
122 }; 122 };
123 123
124 secrets.keys = [ 124 secrets.keys = {
125 { 125 "mysql/mysqldump" = {
126 dest = "mysql/mysqldump";
127 permissions = "0400"; 126 permissions = "0400";
128 user = "root"; 127 user = "root";
129 group = "root"; 128 group = "root";
@@ -132,9 +131,8 @@ in {
132 user = root 131 user = root
133 password = ${cfg.credentials.root} 132 password = ${cfg.credentials.root}
134 ''; 133 '';
135 } 134 };
136 { 135 "mysql/pam" = {
137 dest = "mysql/pam";
138 permissions = "0400"; 136 permissions = "0400";
139 user = "mysql"; 137 user = "mysql";
140 group = "mysql"; 138 group = "mysql";
@@ -146,9 +144,8 @@ in {
146 pam_filter ${filter} 144 pam_filter ${filter}
147 ssl start_tls 145 ssl start_tls
148 ''; 146 '';
149 } 147 };
150 { 148 "mysql/pam_replication" = {
151 dest = "mysql/pam_replication";
152 permissions = "0400"; 149 permissions = "0400";
153 user = "mysql"; 150 user = "mysql";
154 group = "mysql"; 151 group = "mysql";
@@ -160,8 +157,8 @@ in {
160 pam_login_attribute cn 157 pam_login_attribute cn
161 ssl start_tls 158 ssl start_tls
162 ''; 159 '';
163 } 160 };
164 ]; 161 };
165 162
166 security.pam.services = let 163 security.pam.services = let
167 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 164 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix
index e857c41..68e6f7f 100644
--- a/modules/private/databases/mariadb_replication.nix
+++ b/modules/private/databases/mariadb_replication.nix
@@ -81,9 +81,8 @@ in
81 }; 81 };
82 users.groups.mysql.gid = config.ids.gids.mysql; 82 users.groups.mysql.gid = config.ids.gids.mysql;
83 83
84 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 84 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
85 { 85 (lib.nameValuePair "mysql_replication/${name}/slave_init_commands" {
86 dest = "mysql_replication/${name}/slave_init_commands";
87 user = "mysql"; 86 user = "mysql";
88 group = "mysql"; 87 group = "mysql";
89 permissions = "0400"; 88 permissions = "0400";
@@ -91,9 +90,8 @@ in
91 CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos; 90 CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos;
92 START SLAVE; 91 START SLAVE;
93 ''; 92 '';
94 } 93 })
95 { 94 (lib.nameValuePair "mysql_replication/${name}/mysqldump_remote" {
96 dest = "mysql_replication/${name}/mysqldump_remote";
97 permissions = "0400"; 95 permissions = "0400";
98 user = "root"; 96 user = "root";
99 group = "root"; 97 group = "root";
@@ -102,9 +100,8 @@ in
102 user = ${hcfg.user} 100 user = ${hcfg.user}
103 password = ${hcfg.password} 101 password = ${hcfg.password}
104 ''; 102 '';
105 } 103 })
106 { 104 (lib.nameValuePair "mysql_replication/${name}/mysqldump" {
107 dest = "mysql_replication/${name}/mysqldump";
108 permissions = "0400"; 105 permissions = "0400";
109 user = "root"; 106 user = "root";
110 group = "root"; 107 group = "root";
@@ -113,9 +110,8 @@ in
113 user = ${hcfg.dumpUser} 110 user = ${hcfg.dumpUser}
114 password = ${hcfg.dumpPassword} 111 password = ${hcfg.dumpPassword}
115 ''; 112 '';
116 } 113 })
117 { 114 (lib.nameValuePair "mysql_replication/${name}/client" {
118 dest = "mysql_replication/${name}/client";
119 permissions = "0400"; 115 permissions = "0400";
120 user = "mysql"; 116 user = "mysql";
121 group = "mysql"; 117 group = "mysql";
@@ -124,8 +120,8 @@ in
124 user = ${hcfg.dumpUser} 120 user = ${hcfg.dumpUser}
125 password = ${hcfg.dumpPassword} 121 password = ${hcfg.dumpPassword}
126 ''; 122 '';
127 } 123 })
128 ]) cfg.hosts); 124 ]) cfg.hosts));
129 125
130 services.cron = { 126 services.cron = {
131 enable = true; 127 enable = true;
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index f4851b5..d35aca0 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -85,29 +85,26 @@ in
85 }; 85 };
86 86
87 config = lib.mkIf cfg.enable { 87 config = lib.mkIf cfg.enable {
88 secrets.keys = [ 88 secrets.keys = {
89 { 89 "ldap/password" = {
90 dest = "ldap/password";
91 permissions = "0400"; 90 permissions = "0400";
92 user = "openldap"; 91 user = "openldap";
93 group = "openldap"; 92 group = "openldap";
94 text = "rootpw ${cfg.rootPw}"; 93 text = "rootpw ${cfg.rootPw}";
95 } 94 };
96 { 95 "ldap/access" = {
97 dest = "ldap/access";
98 permissions = "0400"; 96 permissions = "0400";
99 user = "openldap"; 97 user = "openldap";
100 group = "openldap"; 98 group = "openldap";
101 text = builtins.readFile cfg.accessFile; 99 text = builtins.readFile cfg.accessFile;
102 } 100 };
103 { 101 "ldap" = {
104 dest = "ldap";
105 permissions = "0500"; 102 permissions = "0500";
106 user = "openldap"; 103 user = "openldap";
107 group = "openldap"; 104 group = "openldap";
108 isDir = true; 105 isDir = true;
109 } 106 };
110 ]; 107 };
111 users.users.openldap.extraGroups = [ "keys" ]; 108 users.users.openldap.extraGroups = [ "keys" ];
112 networking.firewall.allowedTCPPorts = [ 636 389 ]; 109 networking.firewall.allowedTCPPorts = [ 636 389 ];
113 110
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix
index 350eecf..b456323 100644
--- a/modules/private/databases/openldap_replication.nix
+++ b/modules/private/databases/openldap_replication.nix
@@ -87,9 +87,8 @@ in
87 }; 87 };
88 users.groups.openldap.gid = config.ids.gids.openldap; 88 users.groups.openldap.gid = config.ids.gids.openldap;
89 89
90 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 90 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
91 { 91 (lib.nameValuePair "openldap_replication/${name}/replication_config" {
92 dest = "openldap_replication/${name}/replication_config";
93 user = "openldap"; 92 user = "openldap";
94 group = "openldap"; 93 group = "openldap";
95 permissions = "0400"; 94 permissions = "0400";
@@ -105,15 +104,14 @@ in
105 binddn="${hcfg.dn}" 104 binddn="${hcfg.dn}"
106 credentials="${hcfg.password}" 105 credentials="${hcfg.password}"
107 ''; 106 '';
108 } 107 })
109 { 108 (lib.nameValuePair "openldap_replication/${name}/replication_password" {
110 dest = "openldap_replication/${name}/replication_password";
111 user = "openldap"; 109 user = "openldap";
112 group = "openldap"; 110 group = "openldap";
113 permissions = "0400"; 111 permissions = "0400";
114 text = hcfg.password; 112 text = hcfg.password;
115 } 113 })
116 ]) cfg.hosts); 114 ]) cfg.hosts));
117 115
118 services.cron = { 116 services.cron = {
119 enable = true; 117 enable = true;
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index e73bf69..a6c4cc9 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -178,9 +178,8 @@ in {
178 ''; 178 '';
179 }; 179 };
180 180
181 secrets.keys = [ 181 secrets.keys = {
182 { 182 "postgresql/pam" = {
183 dest = "postgresql/pam";
184 permissions = "0400"; 183 permissions = "0400";
185 group = "postgres"; 184 group = "postgres";
186 user = "postgres"; 185 user = "postgres";
@@ -192,9 +191,8 @@ in {
192 pam_filter ${filter} 191 pam_filter ${filter}
193 ssl start_tls 192 ssl start_tls
194 ''; 193 '';
195 } 194 };
196 { 195 "postgresql/pam_replication" = {
197 dest = "postgresql/pam_replication";
198 permissions = "0400"; 196 permissions = "0400";
199 group = "postgres"; 197 group = "postgres";
200 user = "postgres"; 198 user = "postgres";
@@ -206,8 +204,8 @@ in {
206 pam_login_attribute cn 204 pam_login_attribute cn
207 ssl start_tls 205 ssl start_tls
208 ''; 206 '';
209 } 207 };
210 ]; 208 };
211 209
212 security.pam.services = let 210 security.pam.services = let
213 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 211 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
diff --git a/modules/private/databases/postgresql_replication.nix b/modules/private/databases/postgresql_replication.nix
index b103b8c..135bbed 100644
--- a/modules/private/databases/postgresql_replication.nix
+++ b/modules/private/databases/postgresql_replication.nix
@@ -62,9 +62,8 @@ in
62 users.groups.postgres.gid = config.ids.gids.postgres; 62 users.groups.postgres.gid = config.ids.gids.postgres;
63 environment.systemPackages = [ cfg.mainPackage ]; 63 environment.systemPackages = [ cfg.mainPackage ];
64 64
65 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 65 secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [
66 { 66 (lib.nameValuePair "postgresql_replication/${name}/recovery.conf" {
67 dest = "postgresql_replication/${name}/recovery.conf";
68 user = "postgres"; 67 user = "postgres";
69 group = "postgres"; 68 group = "postgres";
70 permissions = "0400"; 69 permissions = "0400";
@@ -73,16 +72,14 @@ in
73 primary_conninfo = '${hcfg.connection}?sslmode=require' 72 primary_conninfo = '${hcfg.connection}?sslmode=require'
74 primary_slot_name = '${hcfg.slot}' 73 primary_slot_name = '${hcfg.slot}'
75 ''; 74 '';
76 } 75 })
77 { 76 (lib.nameValuePair "postgresql_replication/${name}/connection_string" {
78 dest = "postgresql_replication/${name}/connection_string";
79 user = "postgres"; 77 user = "postgres";
80 group = "postgres"; 78 group = "postgres";
81 permissions = "0400"; 79 permissions = "0400";
82 text = hcfg.connection; 80 text = hcfg.connection;
83 } 81 })
84 { 82 (lib.nameValuePair "postgresql_replication/${name}/postgresql.conf" {
85 dest = "postgresql_replication/${name}/postgresql.conf";
86 user = "postgres"; 83 user = "postgres";
87 group = "postgres"; 84 group = "postgres";
88 permissions = "0400"; 85 permissions = "0400";
@@ -94,8 +91,8 @@ in
94 data_directory = '${dataDir}' 91 data_directory = '${dataDir}'
95 wal_level = logical 92 wal_level = logical
96 ''; 93 '';
97 } 94 })
98 ]) cfg.hosts); 95 ]) cfg.hosts));
99 96
100 services.cron = { 97 services.cron = {
101 enable = true; 98 enable = true;
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index 5c5b8b0..685fa46 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -74,9 +74,8 @@ in {
74 }; 74 };
75 75
76 networking.firewall.allowedTCPPorts = [ 7617 16379 ]; 76 networking.firewall.allowedTCPPorts = [ 7617 16379 ];
77 secrets.keys = [ 77 secrets.keys = {
78 { 78 "redis/predixy.conf" = {
79 dest = "redis/predixy.conf";
80 user = "redis"; 79 user = "redis";
81 group = "redis"; 80 group = "redis";
82 permissions = "0400"; 81 permissions = "0400";
@@ -100,15 +99,14 @@ in {
100 } 99 }
101 } 100 }
102 ''; 101 '';
103 } 102 };
104 { 103 "redis/spiped_keyfile" = {
105 dest = "redis/spiped_keyfile";
106 user = "spiped"; 104 user = "spiped";
107 group = "spiped"; 105 group = "spiped";
108 permissions = "0400"; 106 permissions = "0400";
109 text = config.myEnv.databases.redis.spiped_key; 107 text = config.myEnv.databases.redis.spiped_key;
110 } 108 };
111 ]; 109 };
112 110
113 systemd.slices.redis = { 111 systemd.slices.redis = {
114 description = "Redis slice"; 112 description = "Redis slice";
diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix
index 3caa7e9..9e48939 100644
--- a/modules/private/databases/redis_replication.nix
+++ b/modules/private/databases/redis_replication.nix
@@ -68,9 +68,8 @@ in
68 }; 68 };
69 }; 69 };
70 70
71 secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ 71 secrets.keys = lib.mapAttrs' (name: hcfg:
72 { 72 lib.nameValuePair "redis_replication/${name}/config" {
73 dest = "redis_replication/${name}/config";
74 user = "redis"; 73 user = "redis";
75 group = "redis"; 74 group = "redis";
76 permissions = "0400"; 75 permissions = "0400";
@@ -97,15 +96,14 @@ in
97 maxclients 1024 96 maxclients 1024
98 ''; 97 '';
99 } 98 }
100 ]) cfg.hosts) ++ [ 99 ) cfg.hosts // {
101 { # For eldiron only 100 "redis/spiped_eldiron_keyfile" = { # For eldiron only
102 dest = "redis/spiped_eldiron_keyfile";
103 user = "spiped"; 101 user = "spiped";
104 group = "spiped"; 102 group = "spiped";
105 permissions = "0400"; 103 permissions = "0400";
106 text = config.myEnv.databases.redis.spiped_key; 104 text = config.myEnv.databases.redis.spiped_key;
107 } 105 };
108 ]; 106 };
109 107
110 services.cron = { 108 services.cron = {
111 enable = true; 109 enable = true;
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-22 18:16:45 +0000