diff options
58 files changed, 329 insertions, 245 deletions
diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock index f0f56c7..744d002 100644 --- a/flakes/private/openarc/flake.lock +++ b/flakes/private/openarc/flake.lock | |||
@@ -140,7 +140,19 @@ | |||
140 | "files-watcher": "files-watcher", | 140 | "files-watcher": "files-watcher", |
141 | "my-lib": "my-lib", | 141 | "my-lib": "my-lib", |
142 | "nix-lib": "nix-lib", | 142 | "nix-lib": "nix-lib", |
143 | "openarc": "openarc" | 143 | "openarc": "openarc", |
144 | "secrets": "secrets" | ||
145 | } | ||
146 | }, | ||
147 | "secrets": { | ||
148 | "locked": { | ||
149 | "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", | ||
150 | "path": "../../secrets", | ||
151 | "type": "path" | ||
152 | }, | ||
153 | "original": { | ||
154 | "path": "../../secrets", | ||
155 | "type": "path" | ||
144 | } | 156 | } |
145 | } | 157 | } |
146 | }, | 158 | }, |
diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix index 5c4b73c..b4ab4c8 100644 --- a/flakes/private/openarc/flake.nix +++ b/flakes/private/openarc/flake.nix | |||
@@ -3,6 +3,10 @@ | |||
3 | path = "../../openarc"; | 3 | path = "../../openarc"; |
4 | type = "path"; | 4 | type = "path"; |
5 | }; | 5 | }; |
6 | inputs.secrets = { | ||
7 | path = "../../secrets"; | ||
8 | type = "path"; | ||
9 | }; | ||
6 | inputs.files-watcher = { | 10 | inputs.files-watcher = { |
7 | path = "../../files-watcher"; | 11 | path = "../../files-watcher"; |
8 | type = "path"; | 12 | type = "path"; |
@@ -14,14 +18,13 @@ | |||
14 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; | 18 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; |
15 | 19 | ||
16 | description = "Private configuration for openarc"; | 20 | description = "Private configuration for openarc"; |
17 | outputs = { self, nix-lib, my-lib, files-watcher, openarc }: | 21 | outputs = { self, nix-lib, my-lib, files-watcher, openarc, secrets }: |
18 | let | 22 | let |
19 | cfg = name': { config, lib, pkgs, name, ... }: { | 23 | cfg = name': { config, lib, pkgs, name, ... }: { |
20 | imports = [ | 24 | imports = [ |
21 | (my-lib.lib.withNarKey files-watcher "nixosModule") | 25 | (my-lib.lib.withNarKey files-watcher "nixosModule") |
22 | (my-lib.lib.withNarKey openarc "nixosModule") | 26 | (my-lib.lib.withNarKey openarc "nixosModule") |
23 | #FIXME: | 27 | (my-lib.lib.withNarKey secrets "nixosModule") |
24 | #(my-lib.lib.withNarKey secrets "nixosModule") | ||
25 | ]; | 28 | ]; |
26 | config = lib.mkIf (name == name') { | 29 | config = lib.mkIf (name == name') { |
27 | services.openarc = { | 30 | services.openarc = { |
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index 121f51d..bd5019c 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock | |||
@@ -123,7 +123,19 @@ | |||
123 | "files-watcher": "files-watcher", | 123 | "files-watcher": "files-watcher", |
124 | "my-lib": "my-lib", | 124 | "my-lib": "my-lib", |
125 | "nix-lib": "nix-lib", | 125 | "nix-lib": "nix-lib", |
126 | "opendmarc": "opendmarc" | 126 | "opendmarc": "opendmarc", |
127 | "secrets": "secrets" | ||
128 | } | ||
129 | }, | ||
130 | "secrets": { | ||
131 | "locked": { | ||
132 | "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", | ||
133 | "path": "../../secrets", | ||
134 | "type": "path" | ||
135 | }, | ||
136 | "original": { | ||
137 | "path": "../../secrets", | ||
138 | "type": "path" | ||
127 | } | 139 | } |
128 | } | 140 | } |
129 | }, | 141 | }, |
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index debcfbd..2b73070 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix | |||
@@ -3,6 +3,10 @@ | |||
3 | path = "../../opendmarc"; | 3 | path = "../../opendmarc"; |
4 | type = "path"; | 4 | type = "path"; |
5 | }; | 5 | }; |
6 | inputs.secrets = { | ||
7 | path = "../../secrets"; | ||
8 | type = "path"; | ||
9 | }; | ||
6 | inputs.files-watcher = { | 10 | inputs.files-watcher = { |
7 | path = "../../files-watcher"; | 11 | path = "../../files-watcher"; |
8 | type = "path"; | 12 | type = "path"; |
@@ -14,14 +18,13 @@ | |||
14 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; | 18 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; |
15 | 19 | ||
16 | description = "Private configuration for opendmarc"; | 20 | description = "Private configuration for opendmarc"; |
17 | outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }: | 21 | outputs = { self, nix-lib, opendmarc, my-lib, files-watcher, secrets }: |
18 | let | 22 | let |
19 | cfg = name': { config, lib, pkgs, name, ... }: { | 23 | cfg = name': { config, lib, pkgs, name, ... }: { |
20 | imports = [ | 24 | imports = [ |
21 | (my-lib.lib.withNarKey files-watcher "nixosModule") | 25 | (my-lib.lib.withNarKey files-watcher "nixosModule") |
22 | (my-lib.lib.withNarKey opendmarc "nixosModule") | 26 | (my-lib.lib.withNarKey opendmarc "nixosModule") |
23 | #FIXME: | 27 | (my-lib.lib.withNarKey secrets "nixosModule") |
24 | #(my-lib.lib.withNarKey secrets "nixosModule") | ||
25 | ]; | 28 | ]; |
26 | config = lib.mkIf (name == name') { | 29 | config = lib.mkIf (name == name') { |
27 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | 30 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; |
diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix new file mode 100644 index 0000000..0ee6a40 --- /dev/null +++ b/flakes/secrets/flake.nix | |||
@@ -0,0 +1,124 @@ | |||
1 | { | ||
2 | description = "Secrets handling"; | ||
3 | |||
4 | outputs = { self }: { | ||
5 | nixosModule = { config, lib, pkgs, ... }: { | ||
6 | options.secrets = with lib; { | ||
7 | keys = mkOption { | ||
8 | type = types.listOf types.unspecified; | ||
9 | default = []; | ||
10 | description = "Keys to upload to server"; | ||
11 | }; | ||
12 | gpgKeys = mkOption { | ||
13 | type = types.listOf types.path; | ||
14 | default = []; | ||
15 | description = "GPG public keys files to encrypt to"; | ||
16 | }; | ||
17 | ageKeys = mkOption { | ||
18 | type = types.listOf types.str; | ||
19 | default = []; | ||
20 | description = "AGE keys to encrypt to"; | ||
21 | }; | ||
22 | decryptKey = mkOption { | ||
23 | type = types.str; | ||
24 | default = "/etc/ssh/ssh_host_ed25519_key"; | ||
25 | description = "ed25519 key used to decrypt with AGE"; | ||
26 | }; | ||
27 | location = mkOption { | ||
28 | type = types.path; | ||
29 | default = "/var/secrets"; | ||
30 | description = "Location where to put the keys"; | ||
31 | }; | ||
32 | secretsVars = mkOption { | ||
33 | type = types.path; | ||
34 | description = "Location where the secrets variables are defined, to be used to fill the templates in secrets"; | ||
35 | }; | ||
36 | deleteSecretsVars = mkOption { | ||
37 | type = types.bool; | ||
38 | default = false; | ||
39 | description = "Delete secrets file after deployment"; | ||
40 | }; | ||
41 | # Read-only variables | ||
42 | fullPaths = mkOption { | ||
43 | type = types.attrsOf types.path; | ||
44 | default = builtins.listToAttrs | ||
45 | (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys); | ||
46 | readOnly = true; | ||
47 | description = "set of full paths to secrets"; | ||
48 | }; | ||
49 | }; | ||
50 | |||
51 | config = let | ||
52 | location = config.secrets.location; | ||
53 | keys = config.secrets.keys; | ||
54 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; | ||
55 | fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; | ||
56 | dumpKey = v: | ||
57 | if v.isDir or false then | ||
58 | '' | ||
59 | mkdir -p secrets/${v.dest} | ||
60 | cat >> mods <<EOF | ||
61 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest} | ||
62 | EOF | ||
63 | '' | ||
64 | else '' | ||
65 | mkdir -p secrets/$(dirname ${v.dest}) | ||
66 | echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v} | ||
67 | cat >> mods <<EOF | ||
68 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v} | ||
69 | EOF | ||
70 | ''; | ||
71 | secrets = pkgs.runCommand "secrets.tar.enc" { | ||
72 | buildInputs = [ pkgs.gnupg pkgs.sops ]; | ||
73 | } '' | ||
74 | touch mods | ||
75 | tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done | ||
76 | ${builtins.concatStringsSep "\n" (map dumpKey keys)} | ||
77 | cat mods | while read u g p k; do | ||
78 | tar --no-recursion --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" | ||
79 | done | ||
80 | export HOME=$(pwd) | ||
81 | fingerprints= | ||
82 | for key in ${builtins.concatStringsSep " " config.secrets.gpgKeys}; do | ||
83 | gpg --import $key 2>/dev/null | ||
84 | fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1) | ||
85 | done | ||
86 | |||
87 | sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null | ||
88 | ''; | ||
89 | pathChmodExcl = | ||
90 | let | ||
91 | dirs = builtins.filter (v: v.isDir or false) keys; | ||
92 | exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs); | ||
93 | in | ||
94 | lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) "; | ||
95 | in lib.mkIf (builtins.length keys > 0) { | ||
96 | system.activationScripts.secrets = { | ||
97 | deps = [ "users" "wrappers" ]; | ||
98 | text = '' | ||
99 | install -m0750 -o root -g keys -d ${location} | ||
100 | TMP=$(${pkgs.coreutils}/bin/mktemp -d) | ||
101 | TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d) | ||
102 | chmod go-rwx $TMPWORK | ||
103 | if [ -n "$TMP" -a -n "$TMPWORK" ]; then | ||
104 | install -m0750 -o root -g keys -d $TMP | ||
105 | ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt | ||
106 | SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x | ||
107 | if [ -f ${config.secrets.secretsVars} ]; then | ||
108 | SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml | ||
109 | fi | ||
110 | if [ -f $TMPWORK/vars.yml ]; then | ||
111 | find $TMP -name "*.gucci.tpl" -exec \ | ||
112 | /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; | ||
113 | fi | ||
114 | find $TMP -type d ${pathChmodExcl}-exec chown root:keys {} \; -exec chmod o-rx {} \; | ||
115 | ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} | ||
116 | rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars} | ||
117 | fi | ||
118 | ''; | ||
119 | }; | ||
120 | |||
121 | }; | ||
122 | }; | ||
123 | }; | ||
124 | } | ||
diff --git a/modules/default.nix b/modules/default.nix index b6ac68a..cb2e7d9 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
@@ -4,7 +4,7 @@ let | |||
4 | in | 4 | in |
5 | { | 5 | { |
6 | myids = (flakeCompat ../flakes/myuids).nixosModule; | 6 | myids = (flakeCompat ../flakes/myuids).nixosModule; |
7 | secrets = ./secrets.nix; | 7 | secrets = flakeLib.withNarKeyCompat flakeCompat ../flakes/secrets "nixosModule"; |
8 | filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule"; | 8 | filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule"; |
9 | 9 | ||
10 | webstats = ./webapps/webstats; | 10 | webstats = ./webapps/webstats; |
diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix index 88245a2..7034a91 100644 --- a/modules/duply_backup/default.nix +++ b/modules/duply_backup/default.nix | |||
@@ -87,6 +87,11 @@ in | |||
87 | dest = "backup/${varName k remote}/exclude"; | 87 | dest = "backup/${varName k remote}/exclude"; |
88 | text = v.excludeFile; | 88 | text = v.excludeFile; |
89 | } | 89 | } |
90 | { | ||
91 | permissions = "0500"; | ||
92 | dest = "backup/${varName k remote}"; | ||
93 | isDir = true; | ||
94 | } | ||
90 | ]) v.remotes) config.services.duplyBackup.profiles); | 95 | ]) v.remotes) config.services.duplyBackup.profiles); |
91 | 96 | ||
92 | services.cron = { | 97 | services.cron = { |
@@ -99,7 +104,7 @@ in | |||
99 | map (remote: [ | 104 | map (remote: [ |
100 | '' | 105 | '' |
101 | touch ${varDir}/${varName k remote}.log | 106 | touch ${varDir}/${varName k remote}.log |
102 | ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${varName k remote}/ ${action} --force >> ${varDir}/${varName k remote}.log | 107 | ${pkgs.duply}/bin/duply ${config.secrets.fullPaths."backup/${varName k remote}"}/ ${action} --force >> ${varDir}/${varName k remote}.log |
103 | [[ $? = 0 ]] || echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2 | 108 | [[ $? = 0 ]] || echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2 |
104 | '' | 109 | '' |
105 | ]) v.remotes | 110 | ]) v.remotes |
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index ea0bef6..903f453 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix | |||
@@ -42,7 +42,7 @@ in | |||
42 | }; | 42 | }; |
43 | 43 | ||
44 | services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList | 44 | services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList |
45 | (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include") | 45 | (k: project: config.secrets.fullPaths."buildbot/${project.name}/webhook-httpd-include") |
46 | config.myEnv.buildbot.projects; | 46 | config.myEnv.buildbot.projects; |
47 | 47 | ||
48 | services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' | 48 | services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' |
@@ -62,7 +62,7 @@ in | |||
62 | <RequireAny> | 62 | <RequireAny> |
63 | Require local | 63 | Require local |
64 | Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu | 64 | Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu |
65 | Include /var/secrets/buildbot/${project.name}/webhook-httpd-include | 65 | Include ${config.secrets.fullPaths."buildbot/${project.name}/webhook-httpd-include"} |
66 | </RequireAny> | 66 | </RequireAny> |
67 | </Location> | 67 | </Location> |
68 | '') config.myEnv.buildbot.projects; | 68 | '') config.myEnv.buildbot.projects; |
@@ -146,11 +146,11 @@ in | |||
146 | services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | 146 | services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { |
147 | restart = true; | 147 | restart = true; |
148 | paths = [ | 148 | paths = [ |
149 | "/var/secrets/buildbot/ldap" | 149 | config.secrets.fullPaths."buildbot/ldap" |
150 | "/var/secrets/buildbot/worker_password" | 150 | config.secrets.fullPaths."buildbot/worker_password" |
151 | "/var/secrets/buildbot/ssh_key" | 151 | config.secrets.fullPaths."buildbot/ssh_key" |
152 | "/var/secrets/buildbot/${project.name}/environment_file" | 152 | config.secrets.fullPaths."buildbot/${project.name}/environment_file" |
153 | ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; | 153 | ] ++ lib.attrsets.mapAttrsToList (k: v: config.secrets.fullPaths."buildbot/${project.name}/${k}") project.secrets; |
154 | }) config.myEnv.buildbot.projects; | 154 | }) config.myEnv.buildbot.projects; |
155 | 155 | ||
156 | systemd.slices.buildbot = { | 156 | systemd.slices.buildbot = { |
@@ -206,13 +206,13 @@ in | |||
206 | fi | 206 | fi |
207 | ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac | 207 | ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac |
208 | # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race | 208 | # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race |
209 | install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ssh_key ${varDir}/buildbot_key || true | 209 | install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/ssh_key"} ${varDir}/buildbot_key || true |
210 | buildbot_secrets=${varDir}/${project.name}/secrets | 210 | buildbot_secrets=${varDir}/${project.name}/secrets |
211 | install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets | 211 | install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets |
212 | install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap | 212 | install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/ldap"} $buildbot_secrets/ldap |
213 | install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/worker_password $buildbot_secrets/worker_password | 213 | install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/worker_password"} $buildbot_secrets/worker_password |
214 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | 214 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList |
215 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets | 215 | (k: v: "install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/${project.name}/${k}"} $buildbot_secrets/${k}") project.secrets |
216 | )} | 216 | )} |
217 | ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} | 217 | ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} |
218 | ''; | 218 | ''; |
@@ -247,7 +247,7 @@ in | |||
247 | SupplementaryGroups = "keys"; | 247 | SupplementaryGroups = "keys"; |
248 | WorkingDirectory = "${varDir}/${project.name}"; | 248 | WorkingDirectory = "${varDir}/${project.name}"; |
249 | ExecStart = "${buildbot}/bin/buildbot start"; | 249 | ExecStart = "${buildbot}/bin/buildbot start"; |
250 | EnvironmentFile = "/var/secrets/buildbot/${project.name}/environment_file"; | 250 | EnvironmentFile = config.secrets.fullPaths."buildbot/${project.name}/environment_file"; |
251 | }; | 251 | }; |
252 | }) config.myEnv.buildbot.projects; | 252 | }) config.myEnv.buildbot.projects; |
253 | }; | 253 | }; |
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 36edaeb..75ea747 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
@@ -169,14 +169,14 @@ in { | |||
169 | mysql = { | 169 | mysql = { |
170 | text = '' | 170 | text = '' |
171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | 171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ |
172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 172 | auth required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"} |
173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 173 | account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"} |
174 | ''; | 174 | ''; |
175 | }; | 175 | }; |
176 | mysql_replication = { | 176 | mysql_replication = { |
177 | text = '' | 177 | text = '' |
178 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 178 | auth required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"} |
179 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 179 | account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"} |
180 | ''; | 180 | ''; |
181 | }; | 181 | }; |
182 | }; | 182 | }; |
diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix index b89c764..e857c41 100644 --- a/modules/private/databases/mariadb_replication.nix +++ b/modules/private/databases/mariadb_replication.nix | |||
@@ -140,7 +140,7 @@ in | |||
140 | 140 | ||
141 | filename=${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).sql | 141 | filename=${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).sql |
142 | ${hcfg.package}/bin/mysqldump \ | 142 | ${hcfg.package}/bin/mysqldump \ |
143 | --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump \ | 143 | --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump"} \ |
144 | -S /run/mysqld_${name}/mysqld.sock \ | 144 | -S /run/mysqld_${name}/mysqld.sock \ |
145 | --gtid \ | 145 | --gtid \ |
146 | --master-data \ | 146 | --master-data \ |
@@ -194,7 +194,7 @@ in | |||
194 | if ! test -e ${dataDir}/mysql; then | 194 | if ! test -e ${dataDir}/mysql; then |
195 | if ! test -e ${dataDir}/initial.sql; then | 195 | if ! test -e ${dataDir}/initial.sql; then |
196 | ${hcfg.package}/bin/mysqldump \ | 196 | ${hcfg.package}/bin/mysqldump \ |
197 | --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump_remote \ | 197 | --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump_remote"} \ |
198 | -h ${hcfg.host} \ | 198 | -h ${hcfg.host} \ |
199 | -P ${hcfg.port} \ | 199 | -P ${hcfg.port} \ |
200 | --ssl \ | 200 | --ssl \ |
@@ -235,7 +235,7 @@ in | |||
235 | cat \ | 235 | cat \ |
236 | ${sql_before} \ | 236 | ${sql_before} \ |
237 | ${dataDir}/initial.sql \ | 237 | ${dataDir}/initial.sql \ |
238 | ${config.secrets.location}/mysql_replication/${name}/slave_init_commands \ | 238 | ${config.secrets.fullPaths."mysql_replication/${name}/slave_init_commands"} \ |
239 | | ${hcfg.package}/bin/mysql \ | 239 | | ${hcfg.package}/bin/mysql \ |
240 | --defaults-file=/etc/mysql/${name}_my.cnf \ | 240 | --defaults-file=/etc/mysql/${name}_my.cnf \ |
241 | -S /run/mysqld_${name}/mysqld.sock \ | 241 | -S /run/mysqld_${name}/mysqld.sock \ |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index e00f4c2..f4851b5 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
@@ -98,7 +98,14 @@ in | |||
98 | permissions = "0400"; | 98 | permissions = "0400"; |
99 | user = "openldap"; | 99 | user = "openldap"; |
100 | group = "openldap"; | 100 | group = "openldap"; |
101 | text = builtins.readFile "${cfg.accessFile}"; | 101 | text = builtins.readFile cfg.accessFile; |
102 | } | ||
103 | { | ||
104 | dest = "ldap"; | ||
105 | permissions = "0500"; | ||
106 | user = "openldap"; | ||
107 | group = "openldap"; | ||
108 | isDir = true; | ||
102 | } | 109 | } |
103 | ]; | 110 | ]; |
104 | users.users.openldap.extraGroups = [ "keys" ]; | 111 | users.users.openldap.extraGroups = [ "keys" ]; |
@@ -115,7 +122,7 @@ in | |||
115 | 122 | ||
116 | services.filesWatcher.openldap = { | 123 | services.filesWatcher.openldap = { |
117 | restart = true; | 124 | restart = true; |
118 | paths = [ "${config.secrets.location}/ldap/" ]; | 125 | paths = [ config.secrets.fullPaths."ldap" ]; |
119 | }; | 126 | }; |
120 | 127 | ||
121 | services.openldap = { | 128 | services.openldap = { |
@@ -132,9 +139,9 @@ in | |||
132 | overlay syncprov | 139 | overlay syncprov |
133 | syncprov-checkpoint 100 10 | 140 | syncprov-checkpoint 100 10 |
134 | 141 | ||
135 | include ${config.secrets.location}/ldap/access | 142 | include ${config.secrets.fullPaths."ldap/access"} |
136 | ''; | 143 | ''; |
137 | rootpwFile = "${config.secrets.location}/ldap/password"; | 144 | rootpwFile = config.secrets.fullPaths."ldap/password"; |
138 | suffix = cfg.baseDn; | 145 | suffix = cfg.baseDn; |
139 | rootdn = cfg.rootDn; | 146 | rootdn = cfg.rootDn; |
140 | database = "hdb"; | 147 | database = "hdb"; |
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index df4101b..350eecf 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix | |||
@@ -23,7 +23,7 @@ let | |||
23 | index uid pres,eq | 23 | index uid pres,eq |
24 | index entryUUID eq | 24 | index entryUUID eq |
25 | 25 | ||
26 | include ${config.secrets.location}/openldap_replication/${name}/replication_config | 26 | include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"} |
27 | ''; | 27 | ''; |
28 | in | 28 | in |
29 | { | 29 | { |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index c442a63..e73bf69 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
@@ -214,14 +214,14 @@ in { | |||
214 | in { | 214 | in { |
215 | postgresql = { | 215 | postgresql = { |
216 | text = '' | 216 | text = '' |
217 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam | 217 | auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"} |
218 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam | 218 | account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"} |
219 | ''; | 219 | ''; |
220 | }; | 220 | }; |
221 | postgresql_replication = { | 221 | postgresql_replication = { |
222 | text = '' | 222 | text = '' |
223 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication | 223 | auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"} |
224 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication | 224 | account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"} |
225 | ''; | 225 | ''; |
226 | }; | 226 | }; |
227 | }; | 227 | }; |
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index bc6460f..5c5b8b0 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
@@ -49,7 +49,7 @@ in { | |||
49 | decrypt = true; | 49 | decrypt = true; |
50 | source = "0.0.0.0:16379"; | 50 | source = "0.0.0.0:16379"; |
51 | target = "/run/redis/redis.sock"; | 51 | target = "/run/redis/redis.sock"; |
52 | keyfile = "${config.secrets.location}/redis/spiped_keyfile"; | 52 | keyfile = config.secrets.fullPaths."redis/spiped_keyfile"; |
53 | }; | 53 | }; |
54 | }; | 54 | }; |
55 | systemd.services.spiped_redis = { | 55 | systemd.services.spiped_redis = { |
@@ -70,7 +70,7 @@ in { | |||
70 | 70 | ||
71 | services.filesWatcher.predixy = { | 71 | services.filesWatcher.predixy = { |
72 | restart = true; | 72 | restart = true; |
73 | paths = [ "${config.secrets.location}/redis/predixy.conf" ]; | 73 | paths = [ config.secrets.fullPaths."redis/predixy.conf" ]; |
74 | }; | 74 | }; |
75 | 75 | ||
76 | networking.firewall.allowedTCPPorts = [ 7617 16379 ]; | 76 | networking.firewall.allowedTCPPorts = [ 7617 16379 ]; |
@@ -126,7 +126,7 @@ in { | |||
126 | SupplementaryGroups = "keys"; | 126 | SupplementaryGroups = "keys"; |
127 | Type = "simple"; | 127 | Type = "simple"; |
128 | 128 | ||
129 | ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; | 129 | ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}"; |
130 | }; | 130 | }; |
131 | 131 | ||
132 | }; | 132 | }; |
diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix index a3fe3bb..3caa7e9 100644 --- a/modules/private/databases/redis_replication.nix +++ b/modules/private/databases/redis_replication.nix | |||
@@ -64,7 +64,7 @@ in | |||
64 | encrypt = true; | 64 | encrypt = true; |
65 | source = "127.0.0.1:16379"; | 65 | source = "127.0.0.1:16379"; |
66 | target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379"; | 66 | target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379"; |
67 | keyfile = "${config.secrets.location}/redis/spiped_eldiron_keyfile"; | 67 | keyfile = config.secrets.fullPaths."redis/spiped_eldiron_keyfile"; |
68 | }; | 68 | }; |
69 | }; | 69 | }; |
70 | 70 | ||
@@ -162,7 +162,7 @@ in | |||
162 | unitConfig.RequiresMountsFor = dataDir; | 162 | unitConfig.RequiresMountsFor = dataDir; |
163 | 163 | ||
164 | serviceConfig = { | 164 | serviceConfig = { |
165 | ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.location}/redis_replication/${name}/config"; | 165 | ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.fullPaths."redis_replication/${name}/config"}"; |
166 | User = "redis"; | 166 | User = "redis"; |
167 | RuntimeDirectory = "redis_${name}"; | 167 | RuntimeDirectory = "redis_${name}"; |
168 | }; | 168 | }; |
diff --git a/modules/private/dns.nix b/modules/private/dns.nix index 7c59b43..32c52a9 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix | |||
@@ -10,7 +10,7 @@ | |||
10 | ) listOfAttrs | 10 | ) listOfAttrs |
11 | ) [{}] (attrNames attrsOfLists); | 11 | ) [{}] (attrNames attrsOfLists); |
12 | cfg = config.services.bind; | 12 | cfg = config.services.bind; |
13 | keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys)); | 13 | keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"${config.secrets.fullPaths."bind/${v}.key"}\";") (builtins.attrNames config.myEnv.dns.keys)); |
14 | cartProduct = lib.foldr | 14 | cartProduct = lib.foldr |
15 | (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); }) | 15 | (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); }) |
16 | {} | 16 | {} |
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 233031a..07db0f4 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix | |||
@@ -75,7 +75,7 @@ in | |||
75 | 75 | ||
76 | services.filesWatcher.pure-ftpd = { | 76 | services.filesWatcher.pure-ftpd = { |
77 | restart = true; | 77 | restart = true; |
78 | paths = [ "/var/secrets/pure-ftpd-ldap" ]; | 78 | paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ]; |
79 | }; | 79 | }; |
80 | 80 | ||
81 | systemd.services.pure-ftpd = let | 81 | systemd.services.pure-ftpd = let |
@@ -94,7 +94,7 @@ in | |||
94 | SyslogFacility ftp | 94 | SyslogFacility ftp |
95 | DontResolve yes | 95 | DontResolve yes |
96 | MaxIdleTime 15 | 96 | MaxIdleTime 15 |
97 | LDAPConfigFile /var/secrets/pure-ftpd-ldap | 97 | LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"} |
98 | LimitRecursion 10000 8 | 98 | LimitRecursion 10000 8 |
99 | AnonymousCanCreateDirs no | 99 | AnonymousCanCreateDirs no |
100 | MaxLoad 4 | 100 | MaxLoad 4 |
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 4291993..172e216 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix | |||
@@ -19,6 +19,13 @@ | |||
19 | config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { | 19 | config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { |
20 | secrets.keys = [ | 20 | secrets.keys = [ |
21 | { | 21 | { |
22 | dest = "opendkim"; | ||
23 | isDir = true; | ||
24 | user = config.services.opendkim.user; | ||
25 | group = config.services.opendkim.group; | ||
26 | permissions = "0550"; | ||
27 | } | ||
28 | { | ||
22 | dest = "opendkim/eldiron.private"; | 29 | dest = "opendkim/eldiron.private"; |
23 | user = config.services.opendkim.user; | 30 | user = config.services.opendkim.user; |
24 | group = config.services.opendkim.group; | 31 | group = config.services.opendkim.group; |
@@ -45,7 +52,7 @@ | |||
45 | ) | 52 | ) |
46 | config.myEnv.dns.masterZones | 53 | config.myEnv.dns.masterZones |
47 | )); | 54 | )); |
48 | keyPath = "${config.secrets.location}/opendkim"; | 55 | keyPath = config.secrets.fullPaths."opendkim"; |
49 | selector = "eldiron"; | 56 | selector = "eldiron"; |
50 | configFile = pkgs.writeText "opendkim.conf" '' | 57 | configFile = pkgs.writeText "opendkim.conf" '' |
51 | SubDomains yes | 58 | SubDomains yes |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 70c3f46..de5e59d 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -220,7 +220,7 @@ | |||
220 | fi | 220 | fi |
221 | ''; | 221 | ''; |
222 | scripts = lib.attrsets.mapAttrs (n: v: | 222 | scripts = lib.attrsets.mapAttrs (n: v: |
223 | toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; }) | 223 | toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; }) |
224 | ) config.myEnv.mail.scripts // { | 224 | ) config.myEnv.mail.scripts // { |
225 | testmail = pkgs.writeScript "testmail" '' | 225 | testmail = pkgs.writeScript "testmail" '' |
226 | #! ${pkgs.stdenv.shell} | 226 | #! ${pkgs.stdenv.shell} |
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index a930a7d..28032a4 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix | |||
@@ -62,7 +62,7 @@ in | |||
62 | passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; }; | 62 | passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; }; |
63 | service_description = "Mysql replication for eldiron is up to date"; | 63 | service_description = "Mysql replication for eldiron is up to date"; |
64 | use = "local-service"; | 64 | use = "local-service"; |
65 | check_command = ["check_mysql_replication" "/run/mysqld_eldiron/mysqld.sock" "/var/secrets/mysql_replication/eldiron/client"]; | 65 | check_command = ["check_mysql_replication" "/run/mysqld_eldiron/mysqld.sock" config.secrets.fullPaths."mysql_replication/eldiron/client"]; |
66 | } | 66 | } |
67 | { | 67 | { |
68 | passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases,webstatus-backup"; }; | 68 | passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases,webstatus-backup"; }; |
@@ -96,7 +96,7 @@ in | |||
96 | "check_openldap_replication" | 96 | "check_openldap_replication" |
97 | hcfg.url | 97 | hcfg.url |
98 | hcfg.dn | 98 | hcfg.dn |
99 | "${config.secrets.location}/openldap_replication/eldiron/replication_password" | 99 | config.secrets.fullPaths."openldap_replication/eldiron/replication_password" |
100 | hcfg.base | 100 | hcfg.base |
101 | ldapConfig | 101 | ldapConfig |
102 | ]; | 102 | ]; |
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix index 1e6e666..f2e87bb 100644 --- a/modules/private/mpd.nix +++ b/modules/private/mpd.nix | |||
@@ -26,7 +26,7 @@ | |||
26 | systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; | 26 | systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; |
27 | services.filesWatcher.mpd = { | 27 | services.filesWatcher.mpd = { |
28 | restart = true; | 28 | restart = true; |
29 | paths = [ "/var/secrets/mpd-config" ]; | 29 | paths = [ config.secrets.fullPaths."mpd-config" ]; |
30 | }; | 30 | }; |
31 | 31 | ||
32 | services.mpd = { | 32 | services.mpd = { |
@@ -34,7 +34,7 @@ | |||
34 | network.listenAddress = "any"; | 34 | network.listenAddress = "any"; |
35 | musicDirectory = config.myEnv.mpd.folder; | 35 | musicDirectory = config.myEnv.mpd.folder; |
36 | extraConfig = '' | 36 | extraConfig = '' |
37 | include "/var/secrets/mpd-config" | 37 | include "${config.secrets.fullPaths."mpd-config"}" |
38 | audio_output { | 38 | audio_output { |
39 | type "null" | 39 | type "null" |
40 | name "No Output" | 40 | name "No Output" |
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix index aea3ac0..ca9b6fc 100644 --- a/modules/private/ssh/default.nix +++ b/modules/private/ssh/default.nix | |||
@@ -61,7 +61,7 @@ in | |||
61 | system.activationScripts.sshd = { | 61 | system.activationScripts.sshd = { |
62 | deps = [ "secrets" ]; | 62 | deps = [ "secrets" ]; |
63 | text = '' | 63 | text = '' |
64 | install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password | 64 | install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password |
65 | ''; | 65 | ''; |
66 | }; | 66 | }; |
67 | # ssh is strict about parent directory having correct rights, don't | 67 | # ssh is strict about parent directory having correct rights, don't |
diff --git a/modules/private/system.nix b/modules/private/system.nix index c7e277c..8be7368 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix | |||
@@ -1,6 +1,14 @@ | |||
1 | { pkgs, lib, config, name, nodes, ... }: | 1 | { pkgs, lib, config, name, nodes, ... }: |
2 | { | 2 | { |
3 | config = { | 3 | config = { |
4 | deployment.secrets."secret_vars.yml" = { | ||
5 | source = builtins.toString ../../nixops/secrets/vars.yml; | ||
6 | destination = config.secrets.secretsVars; | ||
7 | owner.user = "root"; | ||
8 | owner.group = "root"; | ||
9 | permissions = "0400"; | ||
10 | }; | ||
11 | |||
4 | networking.extraHosts = builtins.concatStringsSep "\n" | 12 | networking.extraHosts = builtins.concatStringsSep "\n" |
5 | (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); | 13 | (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); |
6 | 14 | ||
@@ -9,6 +17,7 @@ | |||
9 | secrets.gpgKeys = [ | 17 | secrets.gpgKeys = [ |
10 | ../../nixops/public_keys/Immae.pub | 18 | ../../nixops/public_keys/Immae.pub |
11 | ]; | 19 | ]; |
20 | secrets.secretsVars = "/run/keys/vars.yml"; | ||
12 | 21 | ||
13 | services.openssh.enable = true; | 22 | services.openssh.enable = true; |
14 | 23 | ||
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 6c570c8..0830f18 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix | |||
@@ -125,7 +125,7 @@ | |||
125 | services.netdata.config.health."enabled" = "no"; | 125 | services.netdata.config.health."enabled" = "no"; |
126 | services.netdata.config.web.mode = "none"; | 126 | services.netdata.config.web.mode = "none"; |
127 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; | 127 | users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; |
128 | environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf"; | 128 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; |
129 | secrets.keys = [ | 129 | secrets.keys = [ |
130 | { | 130 | { |
131 | dest = "netdata-stream.conf"; | 131 | dest = "netdata-stream.conf"; |
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index e335080..91d30fd 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix | |||
@@ -43,7 +43,7 @@ | |||
43 | services.netdata.config.web."allow netdata.conf from" = "fd*"; | 43 | services.netdata.config.web."allow netdata.conf from" = "fd*"; |
44 | services.netdata.config.web."allow management from" = "fd*"; | 44 | services.netdata.config.web."allow management from" = "fd*"; |
45 | networking.firewall.allowedTCPPorts = [ 19999 ]; | 45 | networking.firewall.allowedTCPPorts = [ 19999 ]; |
46 | environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf"; | 46 | environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; |
47 | 47 | ||
48 | secrets.keys = [ | 48 | secrets.keys = [ |
49 | { | 49 | { |
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 0148650..491e215 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix | |||
@@ -53,7 +53,7 @@ let | |||
53 | chmod go-rwx /var/lib/nixos/sponsored_users | 53 | chmod go-rwx /var/lib/nixos/sponsored_users |
54 | echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users | 54 | echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users |
55 | (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \ | 55 | (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \ |
56 | -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF | 56 | -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF |
57 | dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org | 57 | dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org |
58 | objectClass: inetOrgPerson | 58 | objectClass: inetOrgPerson |
59 | cn: $1 | 59 | cn: $1 |
@@ -74,7 +74,7 @@ let | |||
74 | userdel -r "$1" | 74 | userdel -r "$1" |
75 | sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users | 75 | sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users |
76 | ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \ | 76 | ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \ |
77 | -y /var/secrets/ldap/sync_password \ | 77 | -y ${config.secrets.fullPaths."ldap/sync_password"} \ |
78 | "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org" | 78 | "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org" |
79 | echo "deleted" | 79 | echo "deleted" |
80 | exit 0 | 80 | exit 0 |
@@ -103,7 +103,7 @@ let | |||
103 | if [ "$1" = "$mygroup" ]; then | 103 | if [ "$1" = "$mygroup" ]; then |
104 | log "resets web password" | 104 | log "resets web password" |
105 | ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \ | 105 | ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \ |
106 | -y /var/secrets/ldap/sync_password \ | 106 | -y ${config.secrets.fullPaths."ldap/sync_password"} \ |
107 | -S "uid=$mygroup,ou=users,dc=salle-s,dc=org" | 107 | -S "uid=$mygroup,ou=users,dc=salle-s,dc=org" |
108 | else | 108 | else |
109 | IFS=","; | 109 | IFS=","; |
@@ -111,7 +111,7 @@ let | |||
111 | if [ "$u" = "$1" ]; then | 111 | if [ "$u" = "$1" ]; then |
112 | log "resets web password of $1" | 112 | log "resets web password of $1" |
113 | ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \ | 113 | ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \ |
114 | -y /var/secrets/ldap/sync_password \ | 114 | -y ${config.secrets.fullPaths."ldap/sync_password"} \ |
115 | -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org" | 115 | -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org" |
116 | exit 0 | 116 | exit 0 |
117 | fi | 117 | fi |
@@ -221,10 +221,10 @@ in | |||
221 | deps = [ "secrets" "users" ]; | 221 | deps = [ "secrets" "users" ]; |
222 | text = | 222 | text = |
223 | let | 223 | let |
224 | com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password"; | 224 | com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}"; |
225 | in '' | 225 | in '' |
226 | # Add users | 226 | # Add users |
227 | ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true | 227 | ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true |
228 | 228 | ||
229 | # Remove obsolete users | 229 | # Remove obsolete users |
230 | ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\ | 230 | ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\ |
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 8748058..68ce274 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix | |||
@@ -2,7 +2,7 @@ | |||
2 | { | 2 | { |
3 | config = let | 3 | config = let |
4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; | 4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; |
5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; | 5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; |
6 | in { | 6 | in { |
7 | services.postgresql.enable = true; | 7 | services.postgresql.enable = true; |
8 | services.postgresql.package = pkgs.postgresql_12; | 8 | services.postgresql.package = pkgs.postgresql_12; |
@@ -94,7 +94,7 @@ | |||
94 | by anonymous auth | 94 | by anonymous auth |
95 | by * break | 95 | by * break |
96 | ''; | 96 | ''; |
97 | rootpwFile = "${config.secrets.location}/ldap/password"; | 97 | rootpwFile = config.secrets.fullPaths."ldap/password"; |
98 | suffix = "dc=salle-s,dc=org"; | 98 | suffix = "dc=salle-s,dc=org"; |
99 | rootdn = "cn=root,dc=salle-s,dc=org"; | 99 | rootdn = "cn=root,dc=salle-s,dc=org"; |
100 | database = "hdb"; | 100 | database = "hdb"; |
@@ -120,7 +120,7 @@ | |||
120 | group = "wwwrun"; | 120 | group = "wwwrun"; |
121 | settings = | 121 | settings = |
122 | let | 122 | let |
123 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ]; | 123 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; |
124 | in { | 124 | in { |
125 | "listen.owner" = "wwwrun"; | 125 | "listen.owner" = "wwwrun"; |
126 | "listen.group" = "wwwrun"; | 126 | "listen.group" = "wwwrun"; |
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index a678374..b3f1b7b 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix | |||
@@ -161,7 +161,7 @@ in { | |||
161 | dateformat=${dateFormat} | 161 | dateformat=${dateFormat} |
162 | ''; | 162 | ''; |
163 | }) env.taskwarrior-web); | 163 | }) env.taskwarrior-web); |
164 | services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ]; | 164 | services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ]; |
165 | services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ]; | 165 | services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ]; |
166 | services.websites.env.tools.vhostConfs.task = { | 166 | services.websites.env.tools.vhostConfs.task = { |
167 | certName = "eldiron"; | 167 | certName = "eldiron"; |
@@ -176,7 +176,7 @@ in { | |||
176 | <FilesMatch "\.php$"> | 176 | <FilesMatch "\.php$"> |
177 | SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" | 177 | SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" |
178 | </FilesMatch> | 178 | </FilesMatch> |
179 | Include /var/secrets/webapps/tools-taskwarrior-web | 179 | Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"} |
180 | </Directory> | 180 | </Directory> |
181 | '' | 181 | '' |
182 | '' | 182 | '' |
@@ -328,7 +328,7 @@ in { | |||
328 | after = [ "network.target" ]; | 328 | after = [ "network.target" ]; |
329 | path = [ pkgs.taskwarrior ]; | 329 | path = [ pkgs.taskwarrior ]; |
330 | 330 | ||
331 | environment.TASKRC = "/var/secrets/webapps/tools-taskwarrior/${name}-taskrc"; | 331 | environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc"; |
332 | environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}"; | 332 | environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}"; |
333 | environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile"; | 333 | environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile"; |
334 | environment.LC_ALL = "fr_FR.UTF-8"; | 334 | environment.LC_ALL = "fr_FR.UTF-8"; |
diff --git a/modules/private/websites/connexionswing/app/default.nix b/modules/private/websites/connexionswing/app/default.nix index 31e88db..b14b03b 100644 --- a/modules/private/websites/connexionswing/app/default.nix +++ b/modules/private/websites/connexionswing/app/default.nix | |||
@@ -1,6 +1,4 @@ | |||
1 | { environment ? "prod" | 1 | { environment, varDir, secretsPath |
2 | , varDir ? "/var/lib/connexionswing_${environment}" | ||
3 | , secretsPath ? "/var/secrets/webapps/${environment}-connexionswing" | ||
4 | , composerEnv, fetchurl, fetchgit, sources }: | 2 | , composerEnv, fetchurl, fetchgit, sources }: |
5 | let | 3 | let |
6 | app = composerEnv.buildPackage ( | 4 | app = composerEnv.buildPackage ( |
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 809f615..8fb6a4d 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix | |||
@@ -52,7 +52,7 @@ let | |||
52 | LDAPOpCacheTTL 600 | 52 | LDAPOpCacheTTL 600 |
53 | </IfModule> | 53 | </IfModule> |
54 | 54 | ||
55 | Include /var/secrets/apache-ldap | 55 | Include ${config.secrets.fullPaths."apache-ldap"} |
56 | ''; | 56 | ''; |
57 | }; | 57 | }; |
58 | global = { | 58 | global = { |
@@ -149,9 +149,9 @@ in | |||
149 | }; | 149 | }; |
150 | }; | 150 | }; |
151 | 151 | ||
152 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; | 152 | services.filesWatcher.httpdProd.paths = [ config.secrets.fullPaths."apache-ldap" ]; |
153 | services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ]; | 153 | services.filesWatcher.httpdInte.paths = [ config.secrets.fullPaths."apache-ldap" ]; |
154 | services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ]; | 154 | services.filesWatcher.httpdTools.paths = [ config.secrets.fullPaths."apache-ldap" ]; |
155 | 155 | ||
156 | services.websites.env.production = { | 156 | services.websites.env.production = { |
157 | enable = true; | 157 | enable = true; |
diff --git a/modules/private/websites/florian/app/default.nix b/modules/private/websites/florian/app/default.nix index 2ef0e86..28a7ec1 100644 --- a/modules/private/websites/florian/app/default.nix +++ b/modules/private/websites/florian/app/default.nix | |||
@@ -1,6 +1,4 @@ | |||
1 | { environment ? "prod" | 1 | { environment, varDir, secretsPath |
2 | , varDir ? "/var/lib/tellesflorian_${environment}" | ||
3 | , secretsPath ? "/var/secrets/webapps/${environment}-tellesflorian" | ||
4 | , composerEnv, fetchurl, sources }: | 2 | , composerEnv, fetchurl, sources }: |
5 | let | 3 | let |
6 | app = composerEnv.buildPackage ( | 4 | app = composerEnv.buildPackage ( |
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix index fd54f5e..8518283 100644 --- a/modules/private/websites/immae/temp.nix +++ b/modules/private/websites/immae/temp.nix | |||
@@ -56,7 +56,7 @@ in { | |||
56 | exec ${pkgs.webapps.surfer}/bin/surfer-server ${varDir} | 56 | exec ${pkgs.webapps.surfer}/bin/surfer-server ${varDir} |
57 | ''; | 57 | ''; |
58 | serviceConfig = { | 58 | serviceConfig = { |
59 | EnvironmentFile = "/var/secrets/webapps/surfer"; | 59 | EnvironmentFile = config.secrets.fullPaths."webapps/surfer"; |
60 | User = "wwwrun"; | 60 | User = "wwwrun"; |
61 | Group = "wwwrun"; | 61 | Group = "wwwrun"; |
62 | StateDirectory = "surfer"; | 62 | StateDirectory = "surfer"; |
diff --git a/modules/private/websites/ludivine/app/default.nix b/modules/private/websites/ludivine/app/default.nix index 6e751b0..323b6e0 100644 --- a/modules/private/websites/ludivine/app/default.nix +++ b/modules/private/websites/ludivine/app/default.nix | |||
@@ -1,6 +1,4 @@ | |||
1 | { environment ? "prod" | 1 | { environment, varDir, secretsPath |
2 | , varDir ? "/var/lib/ludivinecassal_${environment}" | ||
3 | , secretsPath ? "/var/secrets/webapps/${environment}-ludivinecassal" | ||
4 | , composerEnv, fetchurl, fetchgit, imagemagick, sass, ruby, sources }: | 2 | , composerEnv, fetchurl, fetchgit, imagemagick, sass, ruby, sources }: |
5 | let | 3 | let |
6 | app = composerEnv.buildPackage ( | 4 | app = composerEnv.buildPackage ( |
diff --git a/modules/private/websites/piedsjaloux/app/default.nix b/modules/private/websites/piedsjaloux/app/default.nix index a3d48bd..4525a18 100644 --- a/modules/private/websites/piedsjaloux/app/default.nix +++ b/modules/private/websites/piedsjaloux/app/default.nix | |||
@@ -1,6 +1,4 @@ | |||
1 | { environment ? "prod" | 1 | { environment, varDir, secretsPath |
2 | , varDir ? "/var/lib/piedsjaloux_${environment}" | ||
3 | , secretsPath ? "/var/secrets/webapps/${environment}-piedsjaloux" | ||
4 | , composerEnv, fetchurl, fetchgit, sources }: | 2 | , composerEnv, fetchurl, fetchgit, sources }: |
5 | let | 3 | let |
6 | app = composerEnv.buildPackage ( | 4 | app = composerEnv.buildPackage ( |
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index c374940..471858a 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix | |||
@@ -157,7 +157,7 @@ in { | |||
157 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: | 157 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: |
158 | "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" | 158 | "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" |
159 | ) confs)} | 159 | ) confs)} |
160 | #install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php | 160 | #install -D -m 0600 -o wwwrun -g wwwrun -T ${config.secrets.fullPaths."webapps/tools-nextcloud"} ${varDir}/config/config.php |
161 | ''; | 161 | ''; |
162 | }; | 162 | }; |
163 | # FIXME: add a warning when config.php changes | 163 | # FIXME: add a warning when config.php changes |
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 9d6cd21..eeac1b5 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { stdenv, fetchurl, gettext, writeText, env, awl, davical }: | 1 | { stdenv, fetchurl, gettext, writeText, env, awl, davical, config }: |
2 | rec { | 2 | rec { |
3 | activationScript = { | 3 | activationScript = { |
4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
@@ -65,7 +65,7 @@ rec { | |||
65 | include('drivers_ldap.php'); | 65 | include('drivers_ldap.php'); |
66 | ''; | 66 | ''; |
67 | }]; | 67 | }]; |
68 | webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; }; | 68 | webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; }; |
69 | webRoot = "${webapp}/htdocs"; | 69 | webRoot = "${webapp}/htdocs"; |
70 | apache = rec { | 70 | apache = rec { |
71 | user = "wwwrun"; | 71 | user = "wwwrun"; |
@@ -110,7 +110,7 @@ rec { | |||
110 | }; | 110 | }; |
111 | phpFpm = rec { | 111 | phpFpm = rec { |
112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; | 113 | basedir = builtins.concatStringsSep ":" [ webapp config.secrets.fullPaths."webapps/dav-davical" awl ]; |
114 | pool = { | 114 | pool = { |
115 | "listen.owner" = apache.user; | 115 | "listen.owner" = apache.user; |
116 | "listen.group" = apache.group; | 116 | "listen.group" = apache.group; |
diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index f53cf58..c54e152 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix | |||
@@ -18,6 +18,7 @@ let | |||
18 | davical = pkgs.callPackage ./davical.nix { | 18 | davical = pkgs.callPackage ./davical.nix { |
19 | env = config.myEnv.tools.davical; | 19 | env = config.myEnv.tools.davical; |
20 | inherit (pkgs.webapps) davical awl; | 20 | inherit (pkgs.webapps) davical awl; |
21 | inherit config; | ||
21 | }; | 22 | }; |
22 | 23 | ||
23 | cfg = config.myServices.websites.tools.dav; | 24 | cfg = config.myServices.websites.tools.dav; |
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 5d2b19f..663fe88 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix | |||
@@ -18,6 +18,13 @@ in { | |||
18 | 18 | ||
19 | secrets.keys = [ | 19 | secrets.keys = [ |
20 | { | 20 | { |
21 | dest = "webapps/diaspora"; | ||
22 | isDir = true; | ||
23 | user = "diaspora"; | ||
24 | group = "diaspora"; | ||
25 | permissions = "0500"; | ||
26 | } | ||
27 | { | ||
21 | dest = "webapps/diaspora/diaspora.yml"; | 28 | dest = "webapps/diaspora/diaspora.yml"; |
22 | user = "diaspora"; | 29 | user = "diaspora"; |
23 | group = "diaspora"; | 30 | group = "diaspora"; |
@@ -146,7 +153,7 @@ in { | |||
146 | package = pkgs.webapps.diaspora.override { ldap = true; }; | 153 | package = pkgs.webapps.diaspora.override { ldap = true; }; |
147 | dataDir = "/var/lib/diaspora_immae"; | 154 | dataDir = "/var/lib/diaspora_immae"; |
148 | adminEmail = "diaspora@tools.immae.eu"; | 155 | adminEmail = "diaspora@tools.immae.eu"; |
149 | configDir = "/var/secrets/webapps/diaspora"; | 156 | configDir = config.secrets.fullPaths."webapps/diaspora"; |
150 | }; | 157 | }; |
151 | 158 | ||
152 | services.filesWatcher.diaspora = { | 159 | services.filesWatcher.diaspora = { |
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index 3350a4a..64e411d 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix | |||
@@ -166,9 +166,9 @@ in { | |||
166 | p.ep_timesliderdiff | 166 | p.ep_timesliderdiff |
167 | ]); | 167 | ]); |
168 | modules = []; | 168 | modules = []; |
169 | sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; | 169 | sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey"; |
170 | apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; | 170 | apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey"; |
171 | configFile = "/var/secrets/webapps/tools-etherpad"; | 171 | configFile = config.secrets.fullPaths."webapps/tools-etherpad"; |
172 | }; | 172 | }; |
173 | 173 | ||
174 | systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; | 174 | systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; |
diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 8b1afa8..755bab0 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix | |||
@@ -3,6 +3,7 @@ let | |||
3 | mantisbt = pkgs.callPackage ./mantisbt.nix { | 3 | mantisbt = pkgs.callPackage ./mantisbt.nix { |
4 | inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; | 4 | inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; |
5 | env = config.myEnv.tools.mantisbt; | 5 | env = config.myEnv.tools.mantisbt; |
6 | inherit config; | ||
6 | }; | 7 | }; |
7 | gitweb = pkgs.callPackage ./gitweb.nix { | 8 | gitweb = pkgs.callPackage ./gitweb.nix { |
8 | gitoliteDir = config.myServices.gitolite.gitoliteDir; | 9 | gitoliteDir = config.myServices.gitolite.gitoliteDir; |
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index 9996d23..e6a8da7 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { env, mantisbt_2, mantisbt_2-plugins }: | 1 | { env, mantisbt_2, mantisbt_2-plugins, config }: |
2 | rec { | 2 | rec { |
3 | activationScript = { | 3 | activationScript = { |
4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
@@ -46,7 +46,7 @@ rec { | |||
46 | $g_ldap_organization = '${env.ldap.filter}'; | 46 | $g_ldap_organization = '${env.ldap.filter}'; |
47 | ''; | 47 | ''; |
48 | }]; | 48 | }]; |
49 | webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); | 49 | webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); |
50 | apache = rec { | 50 | apache = rec { |
51 | user = "wwwrun"; | 51 | user = "wwwrun"; |
52 | group = "wwwrun"; | 52 | group = "wwwrun"; |
@@ -75,7 +75,7 @@ rec { | |||
75 | phpFpm = rec { | 75 | phpFpm = rec { |
76 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 76 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
77 | basedir = builtins.concatStringsSep ":" ( | 77 | basedir = builtins.concatStringsSep ":" ( |
78 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] | 78 | [ webRoot config.secrets.fullPaths."webapps/tools-mantisbt" ] |
79 | ++ webRoot.plugins); | 79 | ++ webRoot.plugins); |
80 | pool = { | 80 | pool = { |
81 | "listen.owner" = apache.user; | 81 | "listen.owner" = apache.user; |
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index 4636a6c..033a587 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix | |||
@@ -3,6 +3,7 @@ let | |||
3 | roundcubemail = pkgs.callPackage ./roundcubemail.nix { | 3 | roundcubemail = pkgs.callPackage ./roundcubemail.nix { |
4 | inherit (pkgs.webapps) roundcubemail; | 4 | inherit (pkgs.webapps) roundcubemail; |
5 | env = config.myEnv.tools.roundcubemail; | 5 | env = config.myEnv.tools.roundcubemail; |
6 | inherit config; | ||
6 | }; | 7 | }; |
7 | rainloop = pkgs.callPackage ./rainloop.nix { | 8 | rainloop = pkgs.callPackage ./rainloop.nix { |
8 | rainloop = pkgs.rainloop-community; | 9 | rainloop = pkgs.rainloop-community; |
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index bb7dee9..7d8e733 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { env, roundcubemail, apacheHttpd }: | 1 | { env, roundcubemail, apacheHttpd, config }: |
2 | rec { | 2 | rec { |
3 | varDir = "/var/lib/roundcubemail"; | 3 | varDir = "/var/lib/roundcubemail"; |
4 | activationScript = { | 4 | activationScript = { |
@@ -75,7 +75,7 @@ rec { | |||
75 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; | 75 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; |
76 | ''; | 76 | ''; |
77 | }]; | 77 | }]; |
78 | webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); | 78 | webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); |
79 | apache = rec { | 79 | apache = rec { |
80 | user = "wwwrun"; | 80 | user = "wwwrun"; |
81 | group = "wwwrun"; | 81 | group = "wwwrun"; |
@@ -99,7 +99,7 @@ rec { | |||
99 | phpFpm = rec { | 99 | phpFpm = rec { |
100 | serviceDeps = [ "postgresql.service" ]; | 100 | serviceDeps = [ "postgresql.service" ]; |
101 | basedir = builtins.concatStringsSep ":" ( | 101 | basedir = builtins.concatStringsSep ":" ( |
102 | [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] | 102 | [ webRoot config.secrets.fullPaths."webapps/tools-roundcube" varDir ] |
103 | ++ webRoot.plugins | 103 | ++ webRoot.plugins |
104 | ++ webRoot.skins); | 104 | ++ webRoot.skins); |
105 | pool = { | 105 | pool = { |
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index 80d7431..cea8710 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix | |||
@@ -62,7 +62,7 @@ in { | |||
62 | }]; | 62 | }]; |
63 | services.mastodon = { | 63 | services.mastodon = { |
64 | enable = true; | 64 | enable = true; |
65 | configFile = "/var/secrets/webapps/tools-mastodon"; | 65 | configFile = config.secrets.fullPaths."webapps/tools-mastodon"; |
66 | socketsPrefix = "live_immae"; | 66 | socketsPrefix = "live_immae"; |
67 | dataDir = "/var/lib/mastodon_immae"; | 67 | dataDir = "/var/lib/mastodon_immae"; |
68 | }; | 68 | }; |
diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index 719d3d3..6d6a5a4 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix | |||
@@ -84,7 +84,7 @@ in { | |||
84 | services.mediagoblin = { | 84 | services.mediagoblin = { |
85 | enable = true; | 85 | enable = true; |
86 | package = pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch]); | 86 | package = pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch]); |
87 | configFile = "/var/secrets/webapps/tools-mediagoblin"; | 87 | configFile = config.secrets.fullPaths."webapps/tools-mediagoblin"; |
88 | }; | 88 | }; |
89 | services.filesWatcher.mediagoblin-web = { | 89 | services.filesWatcher.mediagoblin-web = { |
90 | restart = true; | 90 | restart = true; |
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index d2cbe40..7dcc998 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix | |||
@@ -14,7 +14,7 @@ in { | |||
14 | }; | 14 | }; |
15 | services.peertube = { | 15 | services.peertube = { |
16 | enable = true; | 16 | enable = true; |
17 | configFile = "/var/secrets/webapps/tools-peertube"; | 17 | configFile = config.secrets.fullPaths."webapps/tools-peertube"; |
18 | }; | 18 | }; |
19 | users.users.peertube.extraGroups = [ "keys" ]; | 19 | users.users.peertube.extraGroups = [ "keys" ]; |
20 | 20 | ||
diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix index df2b58d..5afd639 100644 --- a/modules/private/websites/tools/performance/default.nix +++ b/modules/private/websites/tools/performance/default.nix | |||
@@ -80,7 +80,7 @@ in | |||
80 | "pm.min_spare_servers" = "1"; | 80 | "pm.min_spare_servers" = "1"; |
81 | "pm.max_spare_servers" = "10"; | 81 | "pm.max_spare_servers" = "10"; |
82 | 82 | ||
83 | "php_admin_value[open_basedir]" = "${package}:/tmp:/var/secrets/status_engine_ui"; | 83 | "php_admin_value[open_basedir]" = "${package}:/tmp:${config.secrets.fullPaths."status_engine_ui"}"; |
84 | }; | 84 | }; |
85 | phpPackage = pkgs.php74; | 85 | phpPackage = pkgs.php74; |
86 | }; | 86 | }; |
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index ac92ef4..ada6253 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix | |||
@@ -12,8 +12,10 @@ let | |||
12 | inherit (pkgs.webapps) ttrss ttrss-plugins; | 12 | inherit (pkgs.webapps) ttrss ttrss-plugins; |
13 | env = config.myEnv.tools.ttrss; | 13 | env = config.myEnv.tools.ttrss; |
14 | php = pkgs.php72; | 14 | php = pkgs.php72; |
15 | inherit config; | ||
15 | }; | 16 | }; |
16 | kanboard = pkgs.callPackage ./kanboard.nix { | 17 | kanboard = pkgs.callPackage ./kanboard.nix { |
18 | inherit config; | ||
17 | env = config.myEnv.tools.kanboard; | 19 | env = config.myEnv.tools.kanboard; |
18 | }; | 20 | }; |
19 | wallabag = pkgs.callPackage ./wallabag.nix { | 21 | wallabag = pkgs.callPackage ./wallabag.nix { |
@@ -23,10 +25,12 @@ let | |||
23 | }; | 25 | }; |
24 | }; | 26 | }; |
25 | env = config.myEnv.tools.wallabag; | 27 | env = config.myEnv.tools.wallabag; |
28 | inherit config; | ||
26 | }; | 29 | }; |
27 | yourls = pkgs.callPackage ./yourls.nix { | 30 | yourls = pkgs.callPackage ./yourls.nix { |
28 | inherit (pkgs.webapps) yourls yourls-plugins; | 31 | inherit (pkgs.webapps) yourls yourls-plugins; |
29 | env = config.myEnv.tools.yourls; | 32 | env = config.myEnv.tools.yourls; |
33 | inherit config; | ||
30 | }; | 34 | }; |
31 | rompr = pkgs.callPackage ./rompr.nix { | 35 | rompr = pkgs.callPackage ./rompr.nix { |
32 | inherit (pkgs.webapps) rompr; | 36 | inherit (pkgs.webapps) rompr; |
@@ -34,6 +38,7 @@ let | |||
34 | }; | 38 | }; |
35 | shaarli = pkgs.callPackage ./shaarli.nix { | 39 | shaarli = pkgs.callPackage ./shaarli.nix { |
36 | env = config.myEnv.tools.shaarli; | 40 | env = config.myEnv.tools.shaarli; |
41 | inherit config; | ||
37 | }; | 42 | }; |
38 | dokuwiki = pkgs.callPackage ./dokuwiki.nix { | 43 | dokuwiki = pkgs.callPackage ./dokuwiki.nix { |
39 | inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; | 44 | inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; |
@@ -41,6 +46,7 @@ let | |||
41 | ldap = pkgs.callPackage ./ldap.nix { | 46 | ldap = pkgs.callPackage ./ldap.nix { |
42 | inherit (pkgs.webapps) phpldapadmin; | 47 | inherit (pkgs.webapps) phpldapadmin; |
43 | env = config.myEnv.tools.phpldapadmin; | 48 | env = config.myEnv.tools.phpldapadmin; |
49 | inherit config; | ||
44 | }; | 50 | }; |
45 | grocy = pkgs.callPackage ./grocy.nix { | 51 | grocy = pkgs.callPackage ./grocy.nix { |
46 | grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; }; | 52 | grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; }; |
@@ -56,6 +62,7 @@ let | |||
56 | }; | 62 | }; |
57 | dmarc-reports = pkgs.callPackage ./dmarc_reports.nix { | 63 | dmarc-reports = pkgs.callPackage ./dmarc_reports.nix { |
58 | env = config.myEnv.tools.dmarc_reports; | 64 | env = config.myEnv.tools.dmarc_reports; |
65 | inherit config; | ||
59 | }; | 66 | }; |
60 | csp-reports = pkgs.callPackage ./csp_reports.nix { | 67 | csp-reports = pkgs.callPackage ./csp_reports.nix { |
61 | env = config.myEnv.tools.csp_reports; | 68 | env = config.myEnv.tools.csp_reports; |
@@ -188,8 +195,8 @@ in { | |||
188 | Require all granted | 195 | Require all granted |
189 | </Directory> | 196 | </Directory> |
190 | 197 | ||
191 | Alias /webhooks ${config.secrets.location}/webapps/webhooks | 198 | Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"} |
192 | <Directory "${config.secrets.location}/webapps/webhooks"> | 199 | <Directory "${config.secrets.fullPaths."webapps/webhooks"}"> |
193 | Options -Indexes | 200 | Options -Indexes |
194 | Require all granted | 201 | Require all granted |
195 | AllowOverride None | 202 | AllowOverride None |
@@ -271,7 +278,7 @@ in { | |||
271 | description = "Standalone MPD Web GUI written in C"; | 278 | description = "Standalone MPD Web GUI written in C"; |
272 | wantedBy = [ "multi-user.target" ]; | 279 | wantedBy = [ "multi-user.target" ]; |
273 | script = '' | 280 | script = '' |
274 | export MPD_PASSWORD=$(cat /var/secrets/mpd) | 281 | export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"}) |
275 | ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody | 282 | ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody |
276 | ''; | 283 | ''; |
277 | }; | 284 | }; |
@@ -293,7 +300,7 @@ in { | |||
293 | 300 | ||
294 | services.filesWatcher.ympd = { | 301 | services.filesWatcher.ympd = { |
295 | restart = true; | 302 | restart = true; |
296 | paths = [ "/var/secrets/mpd" ]; | 303 | paths = [ config.secrets.fullPaths."mpd" ]; |
297 | }; | 304 | }; |
298 | 305 | ||
299 | services.phpfpm.pools = { | 306 | services.phpfpm.pools = { |
@@ -313,9 +320,9 @@ in { | |||
313 | "php_value[session.name]" = "ToolsPHPSESSID"; | 320 | "php_value[session.name]" = "ToolsPHPSESSID"; |
314 | "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [ | 321 | "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [ |
315 | "/run/wrappers/bin/sendmail" landing "/tmp" | 322 | "/run/wrappers/bin/sendmail" landing "/tmp" |
316 | "${config.secrets.location}/webapps/webhooks" | 323 | config.secrets.fullPaths."webapps/webhooks" |
317 | ]; | 324 | ]; |
318 | "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf"; | 325 | "include" = config.secrets.fullPaths."webapps/tools-csp-reports.conf"; |
319 | }; | 326 | }; |
320 | phpEnv = { | 327 | phpEnv = { |
321 | CONTACT_EMAIL = config.myEnv.tools.contact; | 328 | CONTACT_EMAIL = config.myEnv.tools.contact; |
@@ -438,11 +445,11 @@ in { | |||
438 | }; | 445 | }; |
439 | 446 | ||
440 | services.websites.env.tools.watchPaths = [ | 447 | services.websites.env.tools.watchPaths = [ |
441 | "/var/secrets/webapps/tools-shaarli" | 448 | config.secrets.fullPaths."webapps/tools-shaarli" |
442 | ]; | 449 | ]; |
443 | services.filesWatcher.phpfpm-wallabag = { | 450 | services.filesWatcher.phpfpm-wallabag = { |
444 | restart = true; | 451 | restart = true; |
445 | paths = [ "/var/secrets/webapps/tools-wallabag" ]; | 452 | paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ]; |
446 | }; | 453 | }; |
447 | 454 | ||
448 | }; | 455 | }; |
diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix index e264e80..5fdf0b6 100644 --- a/modules/private/websites/tools/tools/dmarc_reports.nix +++ b/modules/private/websites/tools/tools/dmarc_reports.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { env }: | 1 | { env, config }: |
2 | rec { | 2 | rec { |
3 | keys = [{ | 3 | keys = [{ |
4 | dest = "webapps/tools-dmarc-reports.php"; | 4 | dest = "webapps/tools-dmarc-reports.php"; |
@@ -43,7 +43,7 @@ rec { | |||
43 | }; | 43 | }; |
44 | phpFpm = rec { | 44 | phpFpm = rec { |
45 | basedir = builtins.concatStringsSep ":" | 45 | basedir = builtins.concatStringsSep ":" |
46 | [ webRoot "/var/secrets/webapps/tools-dmarc-reports.php" ]; | 46 | [ webRoot config.secrets.fullPaths."webapps/tools-dmarc-reports.php" ]; |
47 | pool = { | 47 | pool = { |
48 | "listen.owner" = apache.user; | 48 | "listen.owner" = apache.user; |
49 | "listen.group" = apache.group; | 49 | "listen.group" = apache.group; |
@@ -55,7 +55,7 @@ rec { | |||
55 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; | 55 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
56 | }; | 56 | }; |
57 | phpEnv = { | 57 | phpEnv = { |
58 | SECRETS_FILE = "/var/secrets/webapps/tools-dmarc-reports.php"; | 58 | SECRETS_FILE = config.secrets.fullPaths."webapps/tools-dmarc-reports.php"; |
59 | }; | 59 | }; |
60 | }; | 60 | }; |
61 | } | 61 | } |
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 0f6fefc..1a70499 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { env, kanboard }: | 1 | { env, kanboard, config }: |
2 | rec { | 2 | rec { |
3 | backups = { | 3 | backups = { |
4 | rootDir = varDir; | 4 | rootDir = varDir; |
@@ -42,7 +42,7 @@ rec { | |||
42 | ?> | 42 | ?> |
43 | ''; | 43 | ''; |
44 | }]; | 44 | }]; |
45 | webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; }; | 45 | webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; }; |
46 | apache = rec { | 46 | apache = rec { |
47 | user = "wwwrun"; | 47 | user = "wwwrun"; |
48 | group = "wwwrun"; | 48 | group = "wwwrun"; |
@@ -68,7 +68,7 @@ rec { | |||
68 | }; | 68 | }; |
69 | phpFpm = rec { | 69 | phpFpm = rec { |
70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; | 71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir config.secrets.fullPaths."webapps/tools-kanboard" ]; |
72 | pool = { | 72 | pool = { |
73 | "listen.owner" = apache.user; | 73 | "listen.owner" = apache.user; |
74 | "listen.group" = apache.group; | 74 | "listen.group" = apache.group; |
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index 0c1a21f..cb90edc 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { lib, php, env, writeText, phpldapadmin }: | 1 | { lib, php, env, writeText, phpldapadmin, config }: |
2 | rec { | 2 | rec { |
3 | activationScript = { | 3 | activationScript = { |
4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
@@ -32,7 +32,7 @@ rec { | |||
32 | $servers->setValue('login','fallback_dn',true); | 32 | $servers->setValue('login','fallback_dn',true); |
33 | ''; | 33 | ''; |
34 | }]; | 34 | }]; |
35 | webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; | 35 | webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; |
36 | apache = rec { | 36 | apache = rec { |
37 | user = "wwwrun"; | 37 | user = "wwwrun"; |
38 | group = "wwwrun"; | 38 | group = "wwwrun"; |
@@ -54,7 +54,7 @@ rec { | |||
54 | }; | 54 | }; |
55 | phpFpm = rec { | 55 | phpFpm = rec { |
56 | serviceDeps = [ "openldap.service" ]; | 56 | serviceDeps = [ "openldap.service" ]; |
57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; | 57 | basedir = builtins.concatStringsSep ":" [ webRoot config.secrets.fullPaths."webapps/tools-ldap" ]; |
58 | pool = { | 58 | pool = { |
59 | "listen.owner" = apache.user; | 59 | "listen.owner" = apache.user; |
60 | "listen.group" = apache.group; | 60 | "listen.group" = apache.group; |
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index d11f525..80c6a89 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { lib, env, stdenv, fetchurl, shaarli }: | 1 | { lib, env, stdenv, fetchurl, shaarli, config }: |
2 | let | 2 | let |
3 | varDir = "/var/lib/shaarli"; | 3 | varDir = "/var/lib/shaarli"; |
4 | in rec { | 4 | in rec { |
@@ -21,7 +21,7 @@ in rec { | |||
21 | vhostConf = socket: '' | 21 | vhostConf = socket: '' |
22 | Alias /Shaarli "${root}" | 22 | Alias /Shaarli "${root}" |
23 | 23 | ||
24 | Include /var/secrets/webapps/tools-shaarli | 24 | Include ${config.secrets.fullPaths."webapps/tools-shaarli"} |
25 | <Location /Shaarli> | 25 | <Location /Shaarli> |
26 | Header set Access-Control-Allow-Origin "*" | 26 | Header set Access-Control-Allow-Origin "*" |
27 | Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" | 27 | Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" |
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index ce1ab8e..eb1d415 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { php, env, ttrss, ttrss-plugins }: | 1 | { php, env, ttrss, ttrss-plugins, config }: |
2 | rec { | 2 | rec { |
3 | backups = { | 3 | backups = { |
4 | rootDir = varDir; | 4 | rootDir = varDir; |
@@ -88,7 +88,7 @@ rec { | |||
88 | define('LDAP_AUTH_DEBUG', FALSE); | 88 | define('LDAP_AUTH_DEBUG', FALSE); |
89 | ''; | 89 | ''; |
90 | }]; | 90 | }]; |
91 | webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (p: [ | 91 | webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [ |
92 | p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua | 92 | p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua |
93 | (p.af_feedmod.override { patched = true; }) | 93 | (p.af_feedmod.override { patched = true; }) |
94 | (p.feediron.override { patched = true; }) | 94 | (p.feediron.override { patched = true; }) |
@@ -116,7 +116,7 @@ rec { | |||
116 | phpFpm = rec { | 116 | phpFpm = rec { |
117 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 117 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
118 | basedir = builtins.concatStringsSep ":" ( | 118 | basedir = builtins.concatStringsSep ":" ( |
119 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] | 119 | [ webRoot config.secrets.fullPaths."webapps/tools-ttrss" varDir ] |
120 | ++ webRoot.plugins); | 120 | ++ webRoot.plugins); |
121 | pool = { | 121 | pool = { |
122 | "listen.owner" = apache.user; | 122 | "listen.owner" = apache.user; |
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 1cb0645..1a604c7 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { env, wallabag, mylibs }: | 1 | { env, wallabag, mylibs, config }: |
2 | rec { | 2 | rec { |
3 | backups = { | 3 | backups = { |
4 | rootDir = varDir; | 4 | rootDir = varDir; |
@@ -69,7 +69,7 @@ rec { | |||
69 | arguments: ['/run/wrappers/bin/sendmail -bs'] | 69 | arguments: ['/run/wrappers/bin/sendmail -bs'] |
70 | ''; | 70 | ''; |
71 | }]; | 71 | }]; |
72 | webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; }; | 72 | webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; }; |
73 | activationScript = '' | 73 | activationScript = '' |
74 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | 74 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ |
75 | ${varDir}/var ${varDir}/data/db ${varDir}/assets/images | 75 | ${varDir}/var ${varDir}/data/db ${varDir}/assets/images |
@@ -125,11 +125,11 @@ rec { | |||
125 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction | 125 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction |
126 | popd > /dev/null | 126 | popd > /dev/null |
127 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 127 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
128 | sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey | 128 | sha512sum ${config.secrets.fullPaths."webapps/tools-wallabag"} > ${varDir}/currentKey |
129 | fi | 129 | fi |
130 | ''; | 130 | ''; |
131 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 131 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
132 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; | 132 | basedir = builtins.concatStringsSep ":" [ webappDir config.secrets.fullPaths."webapps/tools-wallabag" varDir ]; |
133 | pool = { | 133 | pool = { |
134 | "listen.owner" = apache.user; | 134 | "listen.owner" = apache.user; |
135 | "listen.group" = apache.group; | 135 | "listen.group" = apache.group; |
diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix index 885b68b..8ffb81b 100644 --- a/modules/private/websites/tools/tools/webhooks.nix +++ b/modules/private/websites/tools/tools/webhooks.nix | |||
@@ -6,5 +6,11 @@ | |||
6 | group = "wwwrun"; | 6 | group = "wwwrun"; |
7 | permissions = "0400"; | 7 | permissions = "0400"; |
8 | text = v; | 8 | text = v; |
9 | }) env; | 9 | }) env ++ [{ |
10 | dest = "webapps/webhooks"; | ||
11 | isDir = true; | ||
12 | user = "wwwrun"; | ||
13 | group = "wwwrun"; | ||
14 | permissions = "0500"; | ||
15 | }]; | ||
10 | } | 16 | } |
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 77ac0a3..0f977f2 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { env, yourls, yourls-plugins }: | 1 | { env, yourls, yourls-plugins, config }: |
2 | rec { | 2 | rec { |
3 | activationScript = { | 3 | activationScript = { |
4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
@@ -40,7 +40,7 @@ rec { | |||
40 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); | 40 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); |
41 | ''; | 41 | ''; |
42 | }]; | 42 | }]; |
43 | webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); | 43 | webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); |
44 | apache = rec { | 44 | apache = rec { |
45 | user = "wwwrun"; | 45 | user = "wwwrun"; |
46 | group = "wwwrun"; | 46 | group = "wwwrun"; |
@@ -70,7 +70,7 @@ rec { | |||
70 | phpFpm = rec { | 70 | phpFpm = rec { |
71 | serviceDeps = [ "mysql.service" "openldap.service" ]; | 71 | serviceDeps = [ "mysql.service" "openldap.service" ]; |
72 | basedir = builtins.concatStringsSep ":" ( | 72 | basedir = builtins.concatStringsSep ":" ( |
73 | [ webRoot "/var/secrets/webapps/tools-yourls" ] | 73 | [ webRoot config.secrets.fullPaths."webapps/tools-yourls" ] |
74 | ++ webRoot.plugins); | 74 | ++ webRoot.plugins); |
75 | pool = { | 75 | pool = { |
76 | "listen.owner" = apache.user; | 76 | "listen.owner" = apache.user; |
diff --git a/modules/secrets.nix b/modules/secrets.nix deleted file mode 100644 index 86d276a..0000000 --- a/modules/secrets.nix +++ /dev/null | |||
@@ -1,113 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | { | ||
3 | options.secrets = { | ||
4 | keys = lib.mkOption { | ||
5 | type = lib.types.listOf lib.types.unspecified; | ||
6 | default = []; | ||
7 | description = "Keys to upload to server"; | ||
8 | }; | ||
9 | gpgKeys = lib.mkOption { | ||
10 | type = lib.types.listOf lib.types.path; | ||
11 | default = []; | ||
12 | description = "GPG public keys files to encrypt to"; | ||
13 | }; | ||
14 | ageKeys = lib.mkOption { | ||
15 | type = lib.types.listOf lib.types.str; | ||
16 | default = []; | ||
17 | description = "AGE keys to encrypt to"; | ||
18 | }; | ||
19 | decryptKey = lib.mkOption { | ||
20 | type = lib.types.str; | ||
21 | default = "/etc/ssh/ssh_host_ed25519_key"; | ||
22 | description = "ed25519 key used to decrypt with AGE"; | ||
23 | }; | ||
24 | location = lib.mkOption { | ||
25 | type = lib.types.path; | ||
26 | default = "/var/secrets"; | ||
27 | description = "Location where to put the keys"; | ||
28 | }; | ||
29 | secretsVars = lib.mkOption { | ||
30 | type = lib.types.path; | ||
31 | default = "/run/keys/vars.yml"; | ||
32 | description = "Location where the secrets variables are defined, to be used to fill the templates in secrets"; | ||
33 | }; | ||
34 | deleteSecretsVars = lib.mkOption { | ||
35 | type = lib.types.bool; | ||
36 | default = false; | ||
37 | description = "Delete secrets file after deployment"; | ||
38 | }; | ||
39 | # Read-only variables | ||
40 | fullPaths = lib.mkOption { | ||
41 | type = lib.types.attrsOf lib.types.path; | ||
42 | default = builtins.listToAttrs | ||
43 | (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys); | ||
44 | readOnly = true; | ||
45 | description = "set of full paths to secrets"; | ||
46 | }; | ||
47 | }; | ||
48 | |||
49 | config = let | ||
50 | location = config.secrets.location; | ||
51 | keys = config.secrets.keys; | ||
52 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; | ||
53 | fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; | ||
54 | dumpKey = v: '' | ||
55 | mkdir -p secrets/$(dirname ${v.dest}) | ||
56 | echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v} | ||
57 | cat >> mods <<EOF | ||
58 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v} | ||
59 | EOF | ||
60 | ''; | ||
61 | secrets = pkgs.runCommand "secrets.tar.enc" { | ||
62 | buildInputs = [ pkgs.gnupg pkgs.sops ]; | ||
63 | } '' | ||
64 | touch mods | ||
65 | tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done | ||
66 | ${builtins.concatStringsSep "\n" (map dumpKey keys)} | ||
67 | cat mods | while read u g p k; do | ||
68 | tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" | ||
69 | done | ||
70 | export HOME=$(pwd) | ||
71 | fingerprints= | ||
72 | for key in ${builtins.concatStringsSep " " config.secrets.gpgKeys}; do | ||
73 | gpg --import $key 2>/dev/null | ||
74 | fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1) | ||
75 | done | ||
76 | |||
77 | sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null | ||
78 | ''; | ||
79 | in lib.mkIf (builtins.length keys > 0) { | ||
80 | system.activationScripts.secrets = { | ||
81 | deps = [ "users" "wrappers" ]; | ||
82 | text = '' | ||
83 | install -m0750 -o root -g keys -d ${location} | ||
84 | TMP=$(${pkgs.coreutils}/bin/mktemp -d) | ||
85 | TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d) | ||
86 | chmod go-rwx $TMPWORK | ||
87 | if [ -n "$TMP" -a -n "$TMPWORK" ]; then | ||
88 | install -m0750 -o root -g keys -d $TMP | ||
89 | ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt | ||
90 | SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x | ||
91 | if [ -f ${config.secrets.secretsVars} ]; then | ||
92 | SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml | ||
93 | fi | ||
94 | if [ -f $TMPWORK/vars.yml ]; then | ||
95 | find $TMP -name "*.gucci.tpl" -exec \ | ||
96 | /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; | ||
97 | fi | ||
98 | find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; | ||
99 | ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} | ||
100 | rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars} | ||
101 | fi | ||
102 | ''; | ||
103 | }; | ||
104 | |||
105 | deployment.secrets."secret_vars.yml" = { | ||
106 | source = builtins.toString ../nixops/secrets/vars.yml; | ||
107 | destination = config.secrets.secretsVars; | ||
108 | owner.user = "root"; | ||
109 | owner.group = "root"; | ||
110 | permissions = "0400"; | ||
111 | }; | ||
112 | }; | ||
113 | } | ||
diff --git a/nixops/secrets b/nixops/secrets | |||
Subproject a1e6498139cc51a3d68e5655480542e6ccd3a45 | Subproject 0b9f489a7e2e01208d4285c26348b4fa09607e1 | ||