diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-10-16 17:40:07 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-10-16 20:20:45 +0200 |
commit | 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 (patch) | |
tree | 9a7ede9ac3f1899074e9ef568a447f883191d3b5 /modules/private/system | |
parent | da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (diff) | |
download | Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.gz Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.zst Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.zip |
Use attrs for secrets instead of lists
Diffstat (limited to 'modules/private/system')
-rw-r--r-- | modules/private/system/backup-2.nix | 14 | ||||
-rw-r--r-- | modules/private/system/eldiron.nix | 14 | ||||
-rw-r--r-- | modules/private/system/monitoring-1.nix | 9 | ||||
-rw-r--r-- | modules/private/system/quatresaisons.nix | 14 | ||||
-rw-r--r-- | modules/private/system/quatresaisons/databases.nix | 14 |
5 files changed, 28 insertions, 37 deletions
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 181f455..c01a666 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix | |||
@@ -7,22 +7,20 @@ | |||
7 | }; | 7 | }; |
8 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age | 8 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age |
9 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; | 9 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; |
10 | secrets.keys = [ | 10 | secrets.keys = { |
11 | { | 11 | "rsync_backup/identity" = { |
12 | dest = "rsync_backup/identity"; | ||
13 | user = "backup"; | 12 | user = "backup"; |
14 | group = "backup"; | 13 | group = "backup"; |
15 | permissions = "0400"; | 14 | permissions = "0400"; |
16 | text = config.myEnv.rsync_backup.ssh_key.private; | 15 | text = config.myEnv.rsync_backup.ssh_key.private; |
17 | } | 16 | }; |
18 | { | 17 | "rsync_backup/identity.pub" = { |
19 | dest = "rsync_backup/identity.pub"; | ||
20 | user = "backup"; | 18 | user = "backup"; |
21 | group = "backup"; | 19 | group = "backup"; |
22 | permissions = "0444"; | 20 | permissions = "0444"; |
23 | text = config.myEnv.rsync_backup.ssh_key.public; | 21 | text = config.myEnv.rsync_backup.ssh_key.public; |
24 | } | 22 | }; |
25 | ]; | 23 | }; |
26 | boot.kernelPackages = pkgs.linuxPackages_latest; | 24 | boot.kernelPackages = pkgs.linuxPackages_latest; |
27 | myEnv = import ../../../nixops/secrets/environment.nix; | 25 | myEnv = import ../../../nixops/secrets/environment.nix; |
28 | 26 | ||
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 0830f18..2c339a5 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix | |||
@@ -126,9 +126,8 @@ | |||
126 | services.netdata.config.web.mode = "none"; | 126 | services.netdata.config.web.mode = "none"; |
127 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | 127 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; |
128 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; | 128 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; |
129 | secrets.keys = [ | 129 | secrets.keys = { |
130 | { | 130 | "netdata-stream.conf" = { |
131 | dest = "netdata-stream.conf"; | ||
132 | user = config.services.netdata.user; | 131 | user = config.services.netdata.user; |
133 | group = config.services.netdata.group; | 132 | group = config.services.netdata.group; |
134 | permissions = "0400"; | 133 | permissions = "0400"; |
@@ -138,15 +137,14 @@ | |||
138 | destination = ${config.myEnv.monitoring.netdata_aggregator} | 137 | destination = ${config.myEnv.monitoring.netdata_aggregator} |
139 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} | 138 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} |
140 | ''; | 139 | ''; |
141 | } | 140 | }; |
142 | { | 141 | "zrepl_backup/identity" = { |
143 | dest = "zrepl_backup/identity"; | ||
144 | user = "root"; | 142 | user = "root"; |
145 | group = "root"; | 143 | group = "root"; |
146 | permissions = "0400"; | 144 | permissions = "0400"; |
147 | text = config.myEnv.zrepl_backup.ssh_key.private; | 145 | text = config.myEnv.zrepl_backup.ssh_key.private; |
148 | } | 146 | }; |
149 | ]; | 147 | }; |
150 | programs.ssh.knownHosts.dilion = { | 148 | programs.ssh.knownHosts.dilion = { |
151 | hostNames = ["dilion.immae.eu"]; | 149 | hostNames = ["dilion.immae.eu"]; |
152 | publicKey = let | 150 | publicKey = let |
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index 91d30fd..dea5f45 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix | |||
@@ -45,9 +45,8 @@ | |||
45 | networking.firewall.allowedTCPPorts = [ 19999 ]; | 45 | networking.firewall.allowedTCPPorts = [ 19999 ]; |
46 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; | 46 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; |
47 | 47 | ||
48 | secrets.keys = [ | 48 | secrets.keys = { |
49 | { | 49 | "netdata-stream.conf" = { |
50 | dest = "netdata-stream.conf"; | ||
51 | user = config.services.netdata.user; | 50 | user = config.services.netdata.user; |
52 | group = config.services.netdata.group; | 51 | group = config.services.netdata.group; |
53 | permissions = "0400"; | 52 | permissions = "0400"; |
@@ -58,8 +57,8 @@ | |||
58 | default memory = ram | 57 | default memory = ram |
59 | health enabled by default = auto | 58 | health enabled by default = auto |
60 | '') config.myEnv.monitoring.netdata_keys); | 59 | '') config.myEnv.monitoring.netdata_keys); |
61 | } | 60 | }; |
62 | ]; | 61 | }; |
63 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | 62 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; |
64 | # This value determines the NixOS release with which your system is | 63 | # This value determines the NixOS release with which your system is |
65 | # to be compatible, in order to avoid breaking some software such as | 64 | # to be compatible, in order to avoid breaking some software such as |
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 491e215..82db70f 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix | |||
@@ -254,14 +254,12 @@ in | |||
254 | ''; | 254 | ''; |
255 | }; | 255 | }; |
256 | 256 | ||
257 | secrets.keys = [ | 257 | secrets.keys = { |
258 | { | 258 | "ldap/sync_password" = { |
259 | dest = "ldap/sync_password"; | ||
260 | permissions = "0400"; | 259 | permissions = "0400"; |
261 | text = serverSpecificConfig.ldap_sync_password; | 260 | text = serverSpecificConfig.ldap_sync_password; |
262 | } | 261 | }; |
263 | { | 262 | "ldap/ldaptree.ldif" = { |
264 | dest = "ldap/ldaptree.ldif"; | ||
265 | permissions = "0400"; | 263 | permissions = "0400"; |
266 | text = serverSpecificConfig.ldap_service_users | 264 | text = serverSpecificConfig.ldap_service_users |
267 | + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' | 265 | + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' |
@@ -272,8 +270,8 @@ in | |||
272 | sn: ${n} | 270 | sn: ${n} |
273 | uid: ${n} | 271 | uid: ${n} |
274 | '') normalUsers)); | 272 | '') normalUsers)); |
275 | } | 273 | }; |
276 | ]; | 274 | }; |
277 | 275 | ||
278 | myServices.monitoring.enable = true; | 276 | myServices.monitoring.enable = true; |
279 | myServices.certificates.enable = true; | 277 | myServices.certificates.enable = true; |
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 68ce274..f7b27e0 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix | |||
@@ -9,16 +9,14 @@ | |||
9 | services.postgresql.ensureUsers = [ | 9 | services.postgresql.ensureUsers = [ |
10 | { name = "naemon"; } | 10 | { name = "naemon"; } |
11 | ]; | 11 | ]; |
12 | secrets.keys = [ | 12 | secrets.keys = { |
13 | { | 13 | "ldap/password" = { |
14 | dest = "ldap/password"; | ||
15 | permissions = "0400"; | 14 | permissions = "0400"; |
16 | user = "openldap"; | 15 | user = "openldap"; |
17 | group = "openldap"; | 16 | group = "openldap"; |
18 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; | 17 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; |
19 | } | 18 | }; |
20 | { | 19 | "webapps/tools-ldap" = { |
21 | dest = "webapps/tools-ldap"; | ||
22 | user = "wwwrun"; | 20 | user = "wwwrun"; |
23 | group = "wwwrun"; | 21 | group = "wwwrun"; |
24 | permissions = "0400"; | 22 | permissions = "0400"; |
@@ -42,8 +40,8 @@ | |||
42 | $servers->setValue('login','attr','uid'); | 40 | $servers->setValue('login','attr','uid'); |
43 | $servers->setValue('login','fallback_dn',true); | 41 | $servers->setValue('login','fallback_dn',true); |
44 | ''; | 42 | ''; |
45 | } | 43 | }; |
46 | ]; | 44 | }; |
47 | 45 | ||
48 | users.users.openldap.extraGroups = [ "keys" ]; | 46 | users.users.openldap.extraGroups = [ "keys" ]; |
49 | services.openldap = { | 47 | services.openldap = { |