aboutsummaryrefslogtreecommitdiff
path: root/modules/private
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-06-13 23:14:49 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-06-13 23:14:49 +0200
commitce7d09efb55888501b73f9e763811deac762aed2 (patch)
treeedca5e7370603e4032932d063bdcab7e085ec71c /modules/private
parent46c99b575ab45c79e195bc9e9ed75759e814aad1 (diff)
downloadNix-ce7d09efb55888501b73f9e763811deac762aed2.tar.gz
Nix-ce7d09efb55888501b73f9e763811deac762aed2.tar.zst
Nix-ce7d09efb55888501b73f9e763811deac762aed2.zip
Remove gitolite password from nix store
Diffstat (limited to 'modules/private')
-rw-r--r--modules/private/gitolite/default.nix11
-rwxr-xr-xmodules/private/gitolite/gitolite_ldap_groups.sh2
2 files changed, 11 insertions, 2 deletions
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index 1549c94..e8ccc7d 100644
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -20,6 +20,14 @@ in {
20 }; 20 };
21 networking.firewall.allowedTCPPorts = [ 9418 ]; 21 networking.firewall.allowedTCPPorts = [ 9418 ];
22 22
23 secrets.keys = [{
24 dest = "gitolite/ldap_password";
25 user = "gitolite";
26 group = "gitolite";
27 permissions = "0400";
28 text = config.myEnv.tools.gitolite.ldap.password;
29 }];
30
23 services.gitDaemon = { 31 services.gitDaemon = {
24 enable = true; 32 enable = true;
25 user = "gitolite"; 33 user = "gitolite";
@@ -34,7 +42,7 @@ in {
34 } '' 42 } ''
35 makeWrapper "${./gitolite_ldap_groups.sh}" "$out" \ 43 makeWrapper "${./gitolite_ldap_groups.sh}" "$out" \
36 --prefix PATH : ${lib.makeBinPath deps} \ 44 --prefix PATH : ${lib.makeBinPath deps} \
37 --set LDAP_PASS ${pkgs.lib.escapeShellArg config.myEnv.tools.gitolite.ldap.password} 45 --set LDAP_PASS_PATH ${config.secrets.fullPaths."gitolite/ldap_password"}
38 ''; 46 '';
39 in { 47 in {
40 deps = [ "users" ]; 48 deps = [ "users" ];
@@ -50,6 +58,7 @@ in {
50 }; 58 };
51 59
52 users.users.wwwrun.extraGroups = [ "gitolite" ]; 60 users.users.wwwrun.extraGroups = [ "gitolite" ];
61 users.users.gitolite.extraGroups = [ "keys" ];
53 62
54 users.users.gitolite.packages = let 63 users.users.gitolite.packages = let
55 python-packages = python-packages: with python-packages; [ 64 python-packages = python-packages: with python-packages; [
diff --git a/modules/private/gitolite/gitolite_ldap_groups.sh b/modules/private/gitolite/gitolite_ldap_groups.sh
index 7db0da4..3d7117e 100755
--- a/modules/private/gitolite/gitolite_ldap_groups.sh
+++ b/modules/private/gitolite/gitolite_ldap_groups.sh
@@ -3,7 +3,7 @@
3uid_param="$1" 3uid_param="$1"
4ldap_host="ldap.immae.eu" 4ldap_host="ldap.immae.eu"
5ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu" 5ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu"
6ldap_bindpw="$LDAP_PASS" 6ldap_bindpw="$(cat $LDAP_PASS_PATH)"
7ldap_searchbase="dc=immae,dc=eu" 7ldap_searchbase="dc=immae,dc=eu"
8ldap_scope="subtree" 8ldap_scope="subtree"
9 9