Move secrets to flakes

7 files changed, 28 insertions, 21 deletions

diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 36edaeb..75ea747 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -169,14 +169,14 @@ in {
       mysql = {
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
-          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
           '';
       };
       mysql_replication = {
         text = ''
-          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
-          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
           '';
       };
     };
diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix
index b89c764..e857c41 100644
--- a/modules/private/databases/mariadb_replication.nix
+++ b/modules/private/databases/mariadb_replication.nix
@@ -140,7 +140,7 @@ in
 
               filename=${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).sql
               ${hcfg.package}/bin/mysqldump \
-                --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump \
+                --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump"} \
                 -S /run/mysqld_${name}/mysqld.sock \
                 --gtid \
                 --master-data \
@@ -194,7 +194,7 @@ in
           if ! test -e ${dataDir}/mysql; then
             if ! test -e ${dataDir}/initial.sql; then
               ${hcfg.package}/bin/mysqldump \
-                --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump_remote \
+                --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump_remote"} \
                 -h ${hcfg.host} \
                 -P ${hcfg.port} \
                 --ssl \
@@ -235,7 +235,7 @@ in
                   cat \
                     ${sql_before} \
                     ${dataDir}/initial.sql \
-                    ${config.secrets.location}/mysql_replication/${name}/slave_init_commands \
+                    ${config.secrets.fullPaths."mysql_replication/${name}/slave_init_commands"} \
                     | ${hcfg.package}/bin/mysql \
                     --defaults-file=/etc/mysql/${name}_my.cnf \
                     -S /run/mysqld_${name}/mysqld.sock \
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index e00f4c2..f4851b5 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -98,7 +98,14 @@ in
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = builtins.readFile "${cfg.accessFile}";
+        text = builtins.readFile cfg.accessFile;
+      }
+      {
+        dest = "ldap";
+        permissions = "0500";
+        user = "openldap";
+        group = "openldap";
+        isDir = true;
       }
     ];
     users.users.openldap.extraGroups = [ "keys" ];
@@ -115,7 +122,7 @@ in
 
     services.filesWatcher.openldap = {
       restart = true;
-      paths = [ "${config.secrets.location}/ldap/" ];
+      paths = [ config.secrets.fullPaths."ldap" ];
     };
 
     services.openldap = {
@@ -132,9 +139,9 @@ in
         overlay         syncprov
         syncprov-checkpoint 100 10
 
-        include ${config.secrets.location}/ldap/access
+        include ${config.secrets.fullPaths."ldap/access"}
         '';
-      rootpwFile = "${config.secrets.location}/ldap/password";
+      rootpwFile = config.secrets.fullPaths."ldap/password";
       suffix = cfg.baseDn;
       rootdn = cfg.rootDn;
       database = "hdb";
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix
index df4101b..350eecf 100644
--- a/modules/private/databases/openldap_replication.nix
+++ b/modules/private/databases/openldap_replication.nix
@@ -23,7 +23,7 @@ let
     index   uid               pres,eq
     index   entryUUID         eq
 
-    include ${config.secrets.location}/openldap_replication/${name}/replication_config
+    include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"}
     '';
 in
 {
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index c442a63..e73bf69 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -214,14 +214,14 @@ in {
     in {
       postgresql = {
         text = ''
-          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
-          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
           '';
       };
       postgresql_replication = {
         text = ''
-          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
-          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
           '';
       };
     };
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index bc6460f..5c5b8b0 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -49,7 +49,7 @@ in {
         decrypt = true;
         source = "0.0.0.0:16379";
         target = "/run/redis/redis.sock";
-        keyfile = "${config.secrets.location}/redis/spiped_keyfile";
+        keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
       };
     };
     systemd.services.spiped_redis = {
@@ -70,7 +70,7 @@ in {
 
     services.filesWatcher.predixy = {
       restart = true;
-      paths = [ "${config.secrets.location}/redis/predixy.conf" ];
+      paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
     };
 
     networking.firewall.allowedTCPPorts = [ 7617 16379 ];
@@ -126,7 +126,7 @@ in {
         SupplementaryGroups = "keys";
         Type = "simple";
 
-        ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
+        ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
       };
 
     };
diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix
index a3fe3bb..3caa7e9 100644
--- a/modules/private/databases/redis_replication.nix
+++ b/modules/private/databases/redis_replication.nix
@@ -64,7 +64,7 @@ in
         encrypt = true;
         source = "127.0.0.1:16379";
         target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379";
-        keyfile = "${config.secrets.location}/redis/spiped_eldiron_keyfile";
+        keyfile = config.secrets.fullPaths."redis/spiped_eldiron_keyfile";
       };
     };
 
@@ -162,7 +162,7 @@ in
         unitConfig.RequiresMountsFor = dataDir;
 
         serviceConfig = {
-          ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.location}/redis_replication/${name}/config";
+          ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.fullPaths."redis_replication/${name}/config"}";
           User = "redis";
           RuntimeDirectory = "redis_${name}";
         };