Remove gitolite password from nix store

2 files changed, 11 insertions, 2 deletions

diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index 1549c94..e8ccc7d 100644
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -20,6 +20,14 @@ in {
     };
     networking.firewall.allowedTCPPorts = [ 9418 ];
 
+    secrets.keys = [{
+      dest = "gitolite/ldap_password";
+      user = "gitolite";
+      group = "gitolite";
+      permissions = "0400";
+      text = config.myEnv.tools.gitolite.ldap.password;
+    }];
+
     services.gitDaemon = {
       enable = true;
       user = "gitolite";
@@ -34,7 +42,7 @@ in {
       } ''
         makeWrapper "${./gitolite_ldap_groups.sh}" "$out" \
           --prefix PATH : ${lib.makeBinPath deps} \
-          --set LDAP_PASS ${pkgs.lib.escapeShellArg config.myEnv.tools.gitolite.ldap.password}
+          --set LDAP_PASS_PATH ${config.secrets.fullPaths."gitolite/ldap_password"}
         '';
     in {
       deps = [ "users" ];
@@ -50,6 +58,7 @@ in {
     };
 
     users.users.wwwrun.extraGroups = [ "gitolite" ];
+    users.users.gitolite.extraGroups = [ "keys" ];
 
     users.users.gitolite.packages = let
       python-packages = python-packages: with python-packages; [
diff --git a/modules/private/gitolite/gitolite_ldap_groups.sh b/modules/private/gitolite/gitolite_ldap_groups.sh
index 7db0da4..3d7117e 100755
--- a/modules/private/gitolite/gitolite_ldap_groups.sh
+++ b/modules/private/gitolite/gitolite_ldap_groups.sh
@@ -3,7 +3,7 @@
 uid_param="$1"
 ldap_host="ldap.immae.eu"
 ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu"
-ldap_bindpw="$LDAP_PASS"
+ldap_bindpw="$(cat $LDAP_PASS_PATH)"
 ldap_searchbase="dc=immae,dc=eu"
 ldap_scope="subtree"