diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-10-16 17:40:07 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-10-16 20:20:45 +0200 |
| commit | 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 (patch) | |
| tree | 9a7ede9ac3f1899074e9ef568a447f883191d3b5 /modules/private/system | |
| parent | da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (diff) | |
| download | Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.gz Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.tar.zst Nix-4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0.zip | |
Use attrs for secrets instead of lists
Diffstat (limited to 'modules/private/system')
| -rw-r--r-- | modules/private/system/backup-2.nix | 14 | ||||
| -rw-r--r-- | modules/private/system/eldiron.nix | 14 | ||||
| -rw-r--r-- | modules/private/system/monitoring-1.nix | 9 | ||||
| -rw-r--r-- | modules/private/system/quatresaisons.nix | 14 | ||||
| -rw-r--r-- | modules/private/system/quatresaisons/databases.nix | 14 |
5 files changed, 28 insertions, 37 deletions
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 181f455..c01a666 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix | |||
| @@ -7,22 +7,20 @@ | |||
| 7 | }; | 7 | }; |
| 8 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age | 8 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age |
| 9 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; | 9 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; |
| 10 | secrets.keys = [ | 10 | secrets.keys = { |
| 11 | { | 11 | "rsync_backup/identity" = { |
| 12 | dest = "rsync_backup/identity"; | ||
| 13 | user = "backup"; | 12 | user = "backup"; |
| 14 | group = "backup"; | 13 | group = "backup"; |
| 15 | permissions = "0400"; | 14 | permissions = "0400"; |
| 16 | text = config.myEnv.rsync_backup.ssh_key.private; | 15 | text = config.myEnv.rsync_backup.ssh_key.private; |
| 17 | } | 16 | }; |
| 18 | { | 17 | "rsync_backup/identity.pub" = { |
| 19 | dest = "rsync_backup/identity.pub"; | ||
| 20 | user = "backup"; | 18 | user = "backup"; |
| 21 | group = "backup"; | 19 | group = "backup"; |
| 22 | permissions = "0444"; | 20 | permissions = "0444"; |
| 23 | text = config.myEnv.rsync_backup.ssh_key.public; | 21 | text = config.myEnv.rsync_backup.ssh_key.public; |
| 24 | } | 22 | }; |
| 25 | ]; | 23 | }; |
| 26 | boot.kernelPackages = pkgs.linuxPackages_latest; | 24 | boot.kernelPackages = pkgs.linuxPackages_latest; |
| 27 | myEnv = import ../../../nixops/secrets/environment.nix; | 25 | myEnv = import ../../../nixops/secrets/environment.nix; |
| 28 | 26 | ||
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 0830f18..2c339a5 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix | |||
| @@ -126,9 +126,8 @@ | |||
| 126 | services.netdata.config.web.mode = "none"; | 126 | services.netdata.config.web.mode = "none"; |
| 127 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | 127 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; |
| 128 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; | 128 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; |
| 129 | secrets.keys = [ | 129 | secrets.keys = { |
| 130 | { | 130 | "netdata-stream.conf" = { |
| 131 | dest = "netdata-stream.conf"; | ||
| 132 | user = config.services.netdata.user; | 131 | user = config.services.netdata.user; |
| 133 | group = config.services.netdata.group; | 132 | group = config.services.netdata.group; |
| 134 | permissions = "0400"; | 133 | permissions = "0400"; |
| @@ -138,15 +137,14 @@ | |||
| 138 | destination = ${config.myEnv.monitoring.netdata_aggregator} | 137 | destination = ${config.myEnv.monitoring.netdata_aggregator} |
| 139 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} | 138 | api key = ${config.myEnv.monitoring.netdata_keys.eldiron} |
| 140 | ''; | 139 | ''; |
| 141 | } | 140 | }; |
| 142 | { | 141 | "zrepl_backup/identity" = { |
| 143 | dest = "zrepl_backup/identity"; | ||
| 144 | user = "root"; | 142 | user = "root"; |
| 145 | group = "root"; | 143 | group = "root"; |
| 146 | permissions = "0400"; | 144 | permissions = "0400"; |
| 147 | text = config.myEnv.zrepl_backup.ssh_key.private; | 145 | text = config.myEnv.zrepl_backup.ssh_key.private; |
| 148 | } | 146 | }; |
| 149 | ]; | 147 | }; |
| 150 | programs.ssh.knownHosts.dilion = { | 148 | programs.ssh.knownHosts.dilion = { |
| 151 | hostNames = ["dilion.immae.eu"]; | 149 | hostNames = ["dilion.immae.eu"]; |
| 152 | publicKey = let | 150 | publicKey = let |
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index 91d30fd..dea5f45 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix | |||
| @@ -45,9 +45,8 @@ | |||
| 45 | networking.firewall.allowedTCPPorts = [ 19999 ]; | 45 | networking.firewall.allowedTCPPorts = [ 19999 ]; |
| 46 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; | 46 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; |
| 47 | 47 | ||
| 48 | secrets.keys = [ | 48 | secrets.keys = { |
| 49 | { | 49 | "netdata-stream.conf" = { |
| 50 | dest = "netdata-stream.conf"; | ||
| 51 | user = config.services.netdata.user; | 50 | user = config.services.netdata.user; |
| 52 | group = config.services.netdata.group; | 51 | group = config.services.netdata.group; |
| 53 | permissions = "0400"; | 52 | permissions = "0400"; |
| @@ -58,8 +57,8 @@ | |||
| 58 | default memory = ram | 57 | default memory = ram |
| 59 | health enabled by default = auto | 58 | health enabled by default = auto |
| 60 | '') config.myEnv.monitoring.netdata_keys); | 59 | '') config.myEnv.monitoring.netdata_keys); |
| 61 | } | 60 | }; |
| 62 | ]; | 61 | }; |
| 63 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | 62 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; |
| 64 | # This value determines the NixOS release with which your system is | 63 | # This value determines the NixOS release with which your system is |
| 65 | # to be compatible, in order to avoid breaking some software such as | 64 | # to be compatible, in order to avoid breaking some software such as |
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 491e215..82db70f 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix | |||
| @@ -254,14 +254,12 @@ in | |||
| 254 | ''; | 254 | ''; |
| 255 | }; | 255 | }; |
| 256 | 256 | ||
| 257 | secrets.keys = [ | 257 | secrets.keys = { |
| 258 | { | 258 | "ldap/sync_password" = { |
| 259 | dest = "ldap/sync_password"; | ||
| 260 | permissions = "0400"; | 259 | permissions = "0400"; |
| 261 | text = serverSpecificConfig.ldap_sync_password; | 260 | text = serverSpecificConfig.ldap_sync_password; |
| 262 | } | 261 | }; |
| 263 | { | 262 | "ldap/ldaptree.ldif" = { |
| 264 | dest = "ldap/ldaptree.ldif"; | ||
| 265 | permissions = "0400"; | 263 | permissions = "0400"; |
| 266 | text = serverSpecificConfig.ldap_service_users | 264 | text = serverSpecificConfig.ldap_service_users |
| 267 | + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' | 265 | + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' |
| @@ -272,8 +270,8 @@ in | |||
| 272 | sn: ${n} | 270 | sn: ${n} |
| 273 | uid: ${n} | 271 | uid: ${n} |
| 274 | '') normalUsers)); | 272 | '') normalUsers)); |
| 275 | } | 273 | }; |
| 276 | ]; | 274 | }; |
| 277 | 275 | ||
| 278 | myServices.monitoring.enable = true; | 276 | myServices.monitoring.enable = true; |
| 279 | myServices.certificates.enable = true; | 277 | myServices.certificates.enable = true; |
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 68ce274..f7b27e0 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix | |||
| @@ -9,16 +9,14 @@ | |||
| 9 | services.postgresql.ensureUsers = [ | 9 | services.postgresql.ensureUsers = [ |
| 10 | { name = "naemon"; } | 10 | { name = "naemon"; } |
| 11 | ]; | 11 | ]; |
| 12 | secrets.keys = [ | 12 | secrets.keys = { |
| 13 | { | 13 | "ldap/password" = { |
| 14 | dest = "ldap/password"; | ||
| 15 | permissions = "0400"; | 14 | permissions = "0400"; |
| 16 | user = "openldap"; | 15 | user = "openldap"; |
| 17 | group = "openldap"; | 16 | group = "openldap"; |
| 18 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; | 17 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; |
| 19 | } | 18 | }; |
| 20 | { | 19 | "webapps/tools-ldap" = { |
| 21 | dest = "webapps/tools-ldap"; | ||
| 22 | user = "wwwrun"; | 20 | user = "wwwrun"; |
| 23 | group = "wwwrun"; | 21 | group = "wwwrun"; |
| 24 | permissions = "0400"; | 22 | permissions = "0400"; |
| @@ -42,8 +40,8 @@ | |||
| 42 | $servers->setValue('login','attr','uid'); | 40 | $servers->setValue('login','attr','uid'); |
| 43 | $servers->setValue('login','fallback_dn',true); | 41 | $servers->setValue('login','fallback_dn',true); |
| 44 | ''; | 42 | ''; |
| 45 | } | 43 | }; |
| 46 | ]; | 44 | }; |
| 47 | 45 | ||
| 48 | users.users.openldap.extraGroups = [ "keys" ]; | 46 | users.users.openldap.extraGroups = [ "keys" ]; |
| 49 | services.openldap = { | 47 | services.openldap = { |