Move secrets to flakes

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-10-13 02:26:54 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-10-16 01:39:24 +0200
commit: da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (patch)
tree: bd45012713b065829c1991e55d52081a8baef58a /modules/private/system
parent: bd5c5d4e23ebd3863a960976767ed4a83dfd07fe (diff)
download: Nix-da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2.tar.gz
Nix-da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2.tar.zst
Nix-da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2.zip
4 files changed, 11 insertions, 11 deletions
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 6c570c8..0830f18 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -125,7 +125,7 @@
  services.netdata.config.health."enabled" = "no";
  services.netdata.config.web.mode = "none";
  users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
-  environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf";
+  environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
  secrets.keys = [
    {
      dest = "netdata-stream.conf";
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix
index e335080..91d30fd 100644
--- a/modules/private/system/monitoring-1.nix
+++ b/modules/private/system/monitoring-1.nix
@@ -43,7 +43,7 @@
  services.netdata.config.web."allow netdata.conf from" = "fd*";
  services.netdata.config.web."allow management from" = "fd*";
  networking.firewall.allowedTCPPorts = [ 19999 ];
-  environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf";
+  environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
  secrets.keys = [
    {
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 0148650..491e215 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -53,7 +53,7 @@ let
      chmod go-rwx /var/lib/nixos/sponsored_users
      echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
      (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
-        -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+        -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
    dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
    objectClass: inetOrgPerson
    cn: $1
@@ -74,7 +74,7 @@ let
        userdel -r "$1"
        sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
        ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
          "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
        echo "deleted"
        exit 0
@@ -103,7 +103,7 @@ let
      if [ "$1" = "$mygroup" ]; then
        log "resets web password"
        ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
          -S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
      else
        IFS=",";
@@ -111,7 +111,7 @@ let
        if [ "$u" = "$1" ]; then
          log "resets web password of $1"
          ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-            -y /var/secrets/ldap/sync_password \
+            -y ${config.secrets.fullPaths."ldap/sync_password"} \
            -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
          exit 0
        fi
@@ -221,10 +221,10 @@ in
    deps = [ "secrets" "users" ];
    text =
      let
-        com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+        com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
      in ''
      # Add users
-      ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+      ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
      # Remove obsolete users
      ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
index 8748058..68ce274 100644
--- a/modules/private/system/quatresaisons/databases.nix
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -2,7 +2,7 @@
 {
  config = let
    serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
-    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
+    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
  in {
    services.postgresql.enable = true;
    services.postgresql.package = pkgs.postgresql_12;
@@ -94,7 +94,7 @@
          by anonymous auth
          by * break
      '';
-      rootpwFile = "${config.secrets.location}/ldap/password";
+      rootpwFile = config.secrets.fullPaths."ldap/password";
      suffix = "dc=salle-s,dc=org";
      rootdn = "cn=root,dc=salle-s,dc=org";
      database = "hdb";
@@ -120,7 +120,7 @@
      group = "wwwrun";
      settings =
        let
-          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
+          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
        in {
          "listen.owner" = "wwwrun";
          "listen.group" = "wwwrun";
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-10-13 02:26:54 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-10-16 01:39:24 +0200
commit	da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 (patch)
tree	bd45012713b065829c1991e55d52081a8baef58a /modules/private/system
parent	bd5c5d4e23ebd3863a960976767ed4a83dfd07fe (diff)
download	Nix-da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2.tar.gz Nix-da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2.tar.zst Nix-da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2.zip

diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 6c570c8..0830f18 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix
@@ -125,7 +125,7 @@
125	services.netdata.config.health."enabled" = "no";	125	services.netdata.config.health."enabled" = "no";
126	services.netdata.config.web.mode = "none";	126	services.netdata.config.web.mode = "none";
127	users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];	127	users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
128	environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf";	128	environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
129	secrets.keys = [	129	secrets.keys = [
130	{	130	{
131	dest = "netdata-stream.conf";	131	dest = "netdata-stream.conf";


diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index e335080..91d30fd 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix
@@ -43,7 +43,7 @@
43	services.netdata.config.web."allow netdata.conf from" = "fd*";	43	services.netdata.config.web."allow netdata.conf from" = "fd*";
44	services.netdata.config.web."allow management from" = "fd*";	44	services.netdata.config.web."allow management from" = "fd*";
45	networking.firewall.allowedTCPPorts = [ 19999 ];	45	networking.firewall.allowedTCPPorts = [ 19999 ];
46	environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf";	46	environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
47		47
48	secrets.keys = [	48	secrets.keys = [
49	{	49	{


diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 0148650..491e215 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix
@@ -53,7 +53,7 @@ let
53	chmod go-rwx /var/lib/nixos/sponsored_users	53	chmod go-rwx /var/lib/nixos/sponsored_users
54	echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users	54	echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
55	(${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \	55	(${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
56	-y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null \|\| true) <<EOF	56	-y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null \|\| true) <<EOF
57	dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org	57	dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
58	objectClass: inetOrgPerson	58	objectClass: inetOrgPerson
59	cn: $1	59	cn: $1
@@ -74,7 +74,7 @@ let
74	userdel -r "$1"	74	userdel -r "$1"
75	sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users	75	sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
76	${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \	76	${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
77	-y /var/secrets/ldap/sync_password \	77	-y ${config.secrets.fullPaths."ldap/sync_password"} \
78	"uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"	78	"uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
79	echo "deleted"	79	echo "deleted"
80	exit 0	80	exit 0
@@ -103,7 +103,7 @@ let
103	if [ "$1" = "$mygroup" ]; then	103	if [ "$1" = "$mygroup" ]; then
104	log "resets web password"	104	log "resets web password"
105	${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \	105	${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
106	-y /var/secrets/ldap/sync_password \	106	-y ${config.secrets.fullPaths."ldap/sync_password"} \
107	-S "uid=$mygroup,ou=users,dc=salle-s,dc=org"	107	-S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
108	else	108	else
109	IFS=",";	109	IFS=",";
@@ -111,7 +111,7 @@ let
111	if [ "$u" = "$1" ]; then	111	if [ "$u" = "$1" ]; then
112	log "resets web password of $1"	112	log "resets web password of $1"
113	${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \	113	${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
114	-y /var/secrets/ldap/sync_password \	114	-y ${config.secrets.fullPaths."ldap/sync_password"} \
115	-S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"	115	-S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
116	exit 0	116	exit 0
117	fi	117	fi
@@ -221,10 +221,10 @@ in
221	deps = [ "secrets" "users" ];	221	deps = [ "secrets" "users" ];
222	text =	222	text =
223	let	223	let
224	com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";	224	com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
225	in ''	225	in ''
226	# Add users	226	# Add users
227	${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null \|\| true	227	${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null \|\| true
228		228
229	# Remove obsolete users	229	# Remove obsolete users
230	${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" \|\	230	${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" \|\


diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 8748058..68ce274 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix
@@ -2,7 +2,7 @@
2	{	2	{
3	config = let	3	config = let
4	serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;	4	serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
5	phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };	5	phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
6	in {	6	in {
7	services.postgresql.enable = true;	7	services.postgresql.enable = true;
8	services.postgresql.package = pkgs.postgresql_12;	8	services.postgresql.package = pkgs.postgresql_12;
@@ -94,7 +94,7 @@
94	by anonymous auth	94	by anonymous auth
95	by * break	95	by * break
96	'';	96	'';
97	rootpwFile = "${config.secrets.location}/ldap/password";	97	rootpwFile = config.secrets.fullPaths."ldap/password";
98	suffix = "dc=salle-s,dc=org";	98	suffix = "dc=salle-s,dc=org";
99	rootdn = "cn=root,dc=salle-s,dc=org";	99	rootdn = "cn=root,dc=salle-s,dc=org";
100	database = "hdb";	100	database = "hdb";
@@ -120,7 +120,7 @@
120	group = "wwwrun";	120	group = "wwwrun";
121	settings =	121	settings =
122	let	122	let
123	basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];	123	basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
124	in {	124	in {
125	"listen.owner" = "wwwrun";	125	"listen.owner" = "wwwrun";
126	"listen.group" = "wwwrun";	126	"listen.group" = "wwwrun";