Move secrets module outside of nixops

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-10 14:56:43 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-10 14:56:43 +0200
commit: 1a7188052f235fb632700478fad0108e4306107d (patch)
tree: 046b43c711a161190e99953c709cd69aaa49b724 /nixops/modules
parent: d42bbbe6f510fce233ecb66d44d205761390b56e (diff)
download: Nix-1a7188052f235fb632700478fad0108e4306107d.tar.gz
Nix-1a7188052f235fb632700478fad0108e4306107d.tar.zst
Nix-1a7188052f235fb632700478fad0108e4306107d.zip
27 files changed, 30 insertions, 87 deletions
diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix
index 7632602..5cf833b 100644
--- a/nixops/modules/buildbot/default.nix
+++ b/nixops/modules/buildbot/default.nix
@@ -106,7 +106,7 @@ in
      '';
    }) myconfig.env.buildbot.projects;
-    mySecrets.keys = (
+    secrets.keys = (
      lib.lists.flatten (
        lib.attrsets.mapAttrsToList (k: project:
          lib.attrsets.mapAttrsToList (k: v:
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 2d56155..23b8b90 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -44,7 +44,7 @@ in {
      '';
    };
-    mySecrets.keys = [
+    secrets.keys = [
      {
        dest = "mysql/mysqldump";
        permissions = "0400";
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index a447ccc..542e209 100644
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -56,7 +56,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    mySecrets.keys = [
+    secrets.keys = [
       {
        dest = "ldap/password";
        permissions = "0400";
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index b113e9f..3a58c48 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -69,7 +69,7 @@ in {
      '';
    };
-    mySecrets.keys = [
+    secrets.keys = [
      {
        dest = "postgresql/pam";
        permissions = "0400";
diff --git a/nixops/modules/ftp.nix b/nixops/modules/ftp.nix
index 541e119..871e9ef 100644
--- a/nixops/modules/ftp.nix
+++ b/nixops/modules/ftp.nix
@@ -43,7 +43,7 @@
      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
      '';
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "pure-ftpd-ldap";
      permissions = "0400";
      user = "ftp";
diff --git a/nixops/modules/mail.nix b/nixops/modules/mail.nix
index 6ec9165..993e5f1 100644
--- a/nixops/modules/mail.nix
+++ b/nixops/modules/mail.nix
@@ -1,7 +1,5 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 {
-  config.ids.uids.nullmailer = myconfig.env.users.nullmailer.uid;
-  config.ids.gids.nullmailer = myconfig.env.users.nullmailer.gid;
  config.users.users.nullmailer.uid = config.ids.uids.nullmailer;
  config.users.groups.nullmailer.gid = config.ids.gids.nullmailer;
diff --git a/nixops/modules/mpd.nix b/nixops/modules/mpd.nix
index 7c896ca..83c225b 100644
--- a/nixops/modules/mpd.nix
+++ b/nixops/modules/mpd.nix
@@ -1,7 +1,7 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 {
  config = {
-    mySecrets.keys = [
+    secrets.keys = [
      {
        dest = "mpd";
        permissions = "0400";
diff --git a/nixops/modules/secrets.nix b/nixops/modules/secrets.nix
deleted file mode 100644
index 8500088..0000000
--- a/nixops/modules/secrets.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ lib, pkgs, config, myconfig, mylibs, ... }:
-{
-  options.mySecrets = {
-    keys = lib.mkOption {
-      type = lib.types.listOf lib.types.unspecified;
-      default = {};
-      description = "Keys to upload to server";
-    };
-  };
-  config = let
-    keys = config.mySecrets.keys;
-    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
-    dumpKey = v: ''
-        mkdir -p secrets/$(dirname ${v.dest})
-        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
-        cat >> mods <<EOF
-        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
-        EOF
-        '';
-    secrets = pkgs.runCommand "secrets.tar" {} ''
-      touch mods
-      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
-      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
-      cat mods | while read u g p k; do
-      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
-      done
-      '';
-  in {
-    system.activationScripts.secrets = {
-      deps = [ "users" "wrappers" ];
-      text = ''
-        install -m0750 -o root -g keys -d /var/secrets
-        if [ -f /run/keys/secrets.tar ]; then
-          if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
-            echo "rebuilding secrets"
-            rm -rf /var/secrets
-            install -m0750 -o root -g keys -d /var/secrets
-            ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
-            sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
-            find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
-          fi
-        fi
-        '';
-    };
-    deployment.keys."secrets.tar" = {
-      permissions = "0400";
-      # keyFile below is not evaluated at build time by nixops, so the
-      # `secrets` path doesn’t necessarily exist when uploading the
-      # keys, and nixops is unhappy.
-      user = "root${builtins.substring 10000 1 secrets}";
-      group = "root";
-      keyFile = "${secrets}";
-    };
-  };
-}
diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix
index 4dc0d65..e8d6063 100644
--- a/nixops/modules/ssh/default.nix
+++ b/nixops/modules/ssh/default.nix
@@ -8,7 +8,7 @@
      AuthorizedKeysCommandUser nobody
      '';
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "ssh-ldap";
      user = "nobody";
      group = "nogroup";
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 1f5ddd2..01d032d 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -86,7 +86,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "webapps/tools-taskwarrior-web";
      user = "wwwrun";
      group = "wwwrun";
diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix
index 6f58d3c..f6efe01 100644
--- a/nixops/modules/websites/aten/default.nix
+++ b/nixops/modules/websites/aten/default.nix
@@ -25,7 +25,7 @@ in {
  config = lib.mkMerge [
    (lib.mkIf cfg.production.enable {
-      mySecrets.keys = aten_prod.keys;
+      secrets.keys = aten_prod.keys;
      services.myWebsites.commons.stats.enable = true;
      services.myWebsites.commons.stats.sites = [
        {
@@ -59,7 +59,7 @@ in {
      };
    })
    (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = aten_dev.keys;
+      secrets.keys = aten_dev.keys;
      security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null;
      services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart;
      services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix
index 33ced2e..0ea9213 100644
--- a/nixops/modules/websites/chloe/default.nix
+++ b/nixops/modules/websites/chloe/default.nix
@@ -25,7 +25,7 @@ in {
  config = lib.mkMerge [
    (lib.mkIf cfg.production.enable {
-      mySecrets.keys = chloe_prod.keys;
+      secrets.keys = chloe_prod.keys;
      services.myWebsites.commons.stats.enable = true;
      services.myWebsites.commons.stats.sites = [
        {
@@ -60,7 +60,7 @@ in {
      };
    })
    (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = chloe_dev.keys;
+      secrets.keys = chloe_dev.keys;
      security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null;
      services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps;
      services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool;
diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix
index c0036d8..2966cb8 100644
--- a/nixops/modules/websites/connexionswing/default.nix
+++ b/nixops/modules/websites/connexionswing/default.nix
@@ -25,7 +25,7 @@ in {
  config = lib.mkMerge [
    (lib.mkIf cfg.production.enable {
-      mySecrets.keys = connexionswing_prod.keys;
+      secrets.keys = connexionswing_prod.keys;
      services.myWebsites.commons.stats.enable = true;
      services.myWebsites.commons.stats.sites = [
        {
@@ -61,7 +61,7 @@ in {
      };
    })
    (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = connexionswing_dev.keys;
+      secrets.keys = connexionswing_dev.keys;
      security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null;
      security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null;
      services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart;
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 555e780..ceef1e1 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -228,7 +228,7 @@ in
    services.myWebsites.TellesFlorian.integration.enable = true;
    services.myWebsites.Florian.integration.enable = true;
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "apache-ldap";
      user = "wwwrun";
      group = "wwwrun";
diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 18d16a1..610de02 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -29,7 +29,7 @@ in {
      domain = "naturaloutil.immae.eu";
    };
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "webapps/prod-naturaloutil";
      user = "wwwrun";
      group = "wwwrun";
diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix
index a3d3922..7fa33ed 100644
--- a/nixops/modules/websites/ludivine/default.nix
+++ b/nixops/modules/websites/ludivine/default.nix
@@ -21,7 +21,7 @@ in {
  config = lib.mkMerge [
    (lib.mkIf cfg.production.enable {
-      mySecrets.keys = ludivinecassal_prod.keys;
+      secrets.keys = ludivinecassal_prod.keys;
      services.myWebsites.commons.stats.enable = true;
      services.myWebsites.commons.stats.sites = [
        {
@@ -54,7 +54,7 @@ in {
      };
    })
    (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = ludivinecassal_dev.keys;
+      secrets.keys = ludivinecassal_dev.keys;
      security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null;
      services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart;
diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix
index b2bd2fd..d75170f 100644
--- a/nixops/modules/websites/piedsjaloux/default.nix
+++ b/nixops/modules/websites/piedsjaloux/default.nix
@@ -25,7 +25,7 @@ in {
  config = lib.mkMerge [
    (lib.mkIf cfg.production.enable {
-      mySecrets.keys = piedsjaloux_prod.keys;
+      secrets.keys = piedsjaloux_prod.keys;
      services.myWebsites.commons.stats.enable = true;
      services.myWebsites.commons.stats.sites = [
        {
@@ -58,7 +58,7 @@ in {
      };
    })
    (lib.mkIf cfg.integration.enable {
-      mySecrets.keys = piedsjaloux_dev.keys;
+      secrets.keys = piedsjaloux_dev.keys;
      security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null;
      services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart;
      services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix
index 16d788f..f86b0c5 100644
--- a/nixops/modules/websites/tellesflorian/default.nix
+++ b/nixops/modules/websites/tellesflorian/default.nix
@@ -16,7 +16,7 @@ in {
  };
  config = lib.mkIf cfg.integration.enable {
-    mySecrets.keys = tellesflorian_dev.keys;
+    secrets.keys = tellesflorian_dev.keys;
    security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null;
    services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart;
    services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix
index a7fcd61..8af2914 100644
--- a/nixops/modules/websites/tools/cloud.nix
+++ b/nixops/modules/websites/tools/cloud.nix
@@ -80,7 +80,7 @@ in {
      ];
    };
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "webapps/tools-nextcloud";
      user = "wwwrun";
      group = "wwwrun";
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
index c24f8db..bf5e412 100644
--- a/nixops/modules/websites/tools/dav/default.nix
+++ b/nixops/modules/websites/tools/dav/default.nix
@@ -29,7 +29,7 @@ in {
  config = lib.mkIf cfg.enable {
    security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
-    mySecrets.keys = davical.keys;
+    secrets.keys = davical.keys;
    services.myWebsites.tools.modules = davical.apache.modules;
    services.myWebsites.tools.vhostConfs.dav = {
diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix
index 53989b7..1088e71 100644
--- a/nixops/modules/websites/tools/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora.nix
@@ -35,7 +35,7 @@ in {
    };
    users.groups.diaspora.gid = config.ids.gids.diaspora;
-    mySecrets.keys = [
+    secrets.keys = [
      {
        dest = "webapps/diaspora/diaspora.yml";
        user = "diaspora";
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
index 1c952af..80472f0 100644
--- a/nixops/modules/websites/tools/ether.nix
+++ b/nixops/modules/websites/tools/ether.nix
@@ -14,7 +14,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    mySecrets.keys = [
+    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
index e7dbd6f..799c180 100644
--- a/nixops/modules/websites/tools/git/default.nix
+++ b/nixops/modules/websites/tools/git/default.nix
@@ -16,7 +16,7 @@ in {
  config = lib.mkIf cfg.enable {
    security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
-    mySecrets.keys = mantisbt.keys;
+    secrets.keys = mantisbt.keys;
    services.myWebsites.tools.modules =
      gitweb.apache.modules ++
      mantisbt.apache.modules;
diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix
index 3279cf8..c461bec 100644
--- a/nixops/modules/websites/tools/mastodon.nix
+++ b/nixops/modules/websites/tools/mastodon.nix
@@ -16,7 +16,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "webapps/tools-mastodon";
      user = "mastodon";
      group = "mastodon";
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix
index bdb8323..bf45e8e 100644
--- a/nixops/modules/websites/tools/mediagoblin.nix
+++ b/nixops/modules/websites/tools/mediagoblin.nix
@@ -9,7 +9,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "webapps/tools-mediagoblin";
      user = "mediagoblin";
      group = "mediagoblin";
diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix
index 9a56a85..ab5e08a 100644
--- a/nixops/modules/websites/tools/peertube.nix
+++ b/nixops/modules/websites/tools/peertube.nix
@@ -16,7 +16,7 @@ in {
    };
    users.users.peertube.extraGroups = [ "keys" ];
-    mySecrets.keys = [{
+    secrets.keys = [{
      dest = "webapps/tools-peertube";
      user = "peertube";
      group = "peertube";
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index addb2c3..7a14e12 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -49,7 +49,7 @@ in {
    security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
    security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
-    mySecrets.keys =
+    secrets.keys =
      kanboard.keys
      ++ ldap.keys
      ++ roundcubemail.keys
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-10 14:56:43 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-10 14:56:43 +0200
commit	1a7188052f235fb632700478fad0108e4306107d (patch)
tree	046b43c711a161190e99953c709cd69aaa49b724 /nixops/modules
parent	d42bbbe6f510fce233ecb66d44d205761390b56e (diff)
download	Nix-1a7188052f235fb632700478fad0108e4306107d.tar.gz Nix-1a7188052f235fb632700478fad0108e4306107d.tar.zst Nix-1a7188052f235fb632700478fad0108e4306107d.zip