aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--flakes/private/openarc/flake.lock14
-rw-r--r--flakes/private/openarc/flake.nix9
-rw-r--r--flakes/private/opendmarc/flake.lock14
-rw-r--r--flakes/private/opendmarc/flake.nix9
-rw-r--r--flakes/secrets/flake.nix124
-rw-r--r--modules/default.nix2
-rw-r--r--modules/duply_backup/default.nix7
-rw-r--r--modules/private/buildbot/default.nix24
-rw-r--r--modules/private/databases/mariadb.nix8
-rw-r--r--modules/private/databases/mariadb_replication.nix6
-rw-r--r--modules/private/databases/openldap/default.nix15
-rw-r--r--modules/private/databases/openldap_replication.nix2
-rw-r--r--modules/private/databases/postgresql.nix8
-rw-r--r--modules/private/databases/redis.nix6
-rw-r--r--modules/private/databases/redis_replication.nix4
-rw-r--r--modules/private/dns.nix2
-rw-r--r--modules/private/ftp.nix4
-rw-r--r--modules/private/mail/milters.nix9
-rw-r--r--modules/private/mail/postfix.nix2
-rw-r--r--modules/private/monitoring/objects_backup-2.nix4
-rw-r--r--modules/private/mpd.nix4
-rw-r--r--modules/private/ssh/default.nix2
-rw-r--r--modules/private/system.nix9
-rw-r--r--modules/private/system/eldiron.nix2
-rw-r--r--modules/private/system/monitoring-1.nix2
-rw-r--r--modules/private/system/quatresaisons.nix12
-rw-r--r--modules/private/system/quatresaisons/databases.nix6
-rw-r--r--modules/private/tasks/default.nix6
-rw-r--r--modules/private/websites/connexionswing/app/default.nix4
-rw-r--r--modules/private/websites/default.nix8
-rw-r--r--modules/private/websites/florian/app/default.nix4
-rw-r--r--modules/private/websites/immae/temp.nix2
-rw-r--r--modules/private/websites/ludivine/app/default.nix4
-rw-r--r--modules/private/websites/piedsjaloux/app/default.nix4
-rw-r--r--modules/private/websites/tools/cloud/default.nix2
-rw-r--r--modules/private/websites/tools/dav/davical.nix6
-rw-r--r--modules/private/websites/tools/dav/default.nix1
-rw-r--r--modules/private/websites/tools/diaspora/default.nix9
-rw-r--r--modules/private/websites/tools/ether/default.nix6
-rw-r--r--modules/private/websites/tools/git/default.nix1
-rw-r--r--modules/private/websites/tools/git/mantisbt.nix6
-rw-r--r--modules/private/websites/tools/mail/default.nix1
-rw-r--r--modules/private/websites/tools/mail/roundcubemail.nix6
-rw-r--r--modules/private/websites/tools/mastodon/default.nix2
-rw-r--r--modules/private/websites/tools/mgoblin/default.nix2
-rw-r--r--modules/private/websites/tools/peertube/default.nix2
-rw-r--r--modules/private/websites/tools/performance/default.nix2
-rw-r--r--modules/private/websites/tools/tools/default.nix23
-rw-r--r--modules/private/websites/tools/tools/dmarc_reports.nix6
-rw-r--r--modules/private/websites/tools/tools/kanboard.nix6
-rw-r--r--modules/private/websites/tools/tools/ldap.nix6
-rw-r--r--modules/private/websites/tools/tools/shaarli.nix4
-rw-r--r--modules/private/websites/tools/tools/ttrss.nix6
-rw-r--r--modules/private/websites/tools/tools/wallabag.nix8
-rw-r--r--modules/private/websites/tools/tools/webhooks.nix8
-rw-r--r--modules/private/websites/tools/tools/yourls.nix6
-rw-r--r--modules/secrets.nix113
m---------nixops/secrets0
58 files changed, 329 insertions, 245 deletions
diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock
index f0f56c7..744d002 100644
--- a/flakes/private/openarc/flake.lock
+++ b/flakes/private/openarc/flake.lock
@@ -140,7 +140,19 @@
140 "files-watcher": "files-watcher", 140 "files-watcher": "files-watcher",
141 "my-lib": "my-lib", 141 "my-lib": "my-lib",
142 "nix-lib": "nix-lib", 142 "nix-lib": "nix-lib",
143 "openarc": "openarc" 143 "openarc": "openarc",
144 "secrets": "secrets"
145 }
146 },
147 "secrets": {
148 "locked": {
149 "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=",
150 "path": "../../secrets",
151 "type": "path"
152 },
153 "original": {
154 "path": "../../secrets",
155 "type": "path"
144 } 156 }
145 } 157 }
146 }, 158 },
diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix
index 5c4b73c..b4ab4c8 100644
--- a/flakes/private/openarc/flake.nix
+++ b/flakes/private/openarc/flake.nix
@@ -3,6 +3,10 @@
3 path = "../../openarc"; 3 path = "../../openarc";
4 type = "path"; 4 type = "path";
5 }; 5 };
6 inputs.secrets = {
7 path = "../../secrets";
8 type = "path";
9 };
6 inputs.files-watcher = { 10 inputs.files-watcher = {
7 path = "../../files-watcher"; 11 path = "../../files-watcher";
8 type = "path"; 12 type = "path";
@@ -14,14 +18,13 @@
14 inputs.nix-lib.url = "github:NixOS/nixpkgs"; 18 inputs.nix-lib.url = "github:NixOS/nixpkgs";
15 19
16 description = "Private configuration for openarc"; 20 description = "Private configuration for openarc";
17 outputs = { self, nix-lib, my-lib, files-watcher, openarc }: 21 outputs = { self, nix-lib, my-lib, files-watcher, openarc, secrets }:
18 let 22 let
19 cfg = name': { config, lib, pkgs, name, ... }: { 23 cfg = name': { config, lib, pkgs, name, ... }: {
20 imports = [ 24 imports = [
21 (my-lib.lib.withNarKey files-watcher "nixosModule") 25 (my-lib.lib.withNarKey files-watcher "nixosModule")
22 (my-lib.lib.withNarKey openarc "nixosModule") 26 (my-lib.lib.withNarKey openarc "nixosModule")
23 #FIXME: 27 (my-lib.lib.withNarKey secrets "nixosModule")
24 #(my-lib.lib.withNarKey secrets "nixosModule")
25 ]; 28 ];
26 config = lib.mkIf (name == name') { 29 config = lib.mkIf (name == name') {
27 services.openarc = { 30 services.openarc = {
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock
index 121f51d..bd5019c 100644
--- a/flakes/private/opendmarc/flake.lock
+++ b/flakes/private/opendmarc/flake.lock
@@ -123,7 +123,19 @@
123 "files-watcher": "files-watcher", 123 "files-watcher": "files-watcher",
124 "my-lib": "my-lib", 124 "my-lib": "my-lib",
125 "nix-lib": "nix-lib", 125 "nix-lib": "nix-lib",
126 "opendmarc": "opendmarc" 126 "opendmarc": "opendmarc",
127 "secrets": "secrets"
128 }
129 },
130 "secrets": {
131 "locked": {
132 "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=",
133 "path": "../../secrets",
134 "type": "path"
135 },
136 "original": {
137 "path": "../../secrets",
138 "type": "path"
127 } 139 }
128 } 140 }
129 }, 141 },
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix
index debcfbd..2b73070 100644
--- a/flakes/private/opendmarc/flake.nix
+++ b/flakes/private/opendmarc/flake.nix
@@ -3,6 +3,10 @@
3 path = "../../opendmarc"; 3 path = "../../opendmarc";
4 type = "path"; 4 type = "path";
5 }; 5 };
6 inputs.secrets = {
7 path = "../../secrets";
8 type = "path";
9 };
6 inputs.files-watcher = { 10 inputs.files-watcher = {
7 path = "../../files-watcher"; 11 path = "../../files-watcher";
8 type = "path"; 12 type = "path";
@@ -14,14 +18,13 @@
14 inputs.nix-lib.url = "github:NixOS/nixpkgs"; 18 inputs.nix-lib.url = "github:NixOS/nixpkgs";
15 19
16 description = "Private configuration for opendmarc"; 20 description = "Private configuration for opendmarc";
17 outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }: 21 outputs = { self, nix-lib, opendmarc, my-lib, files-watcher, secrets }:
18 let 22 let
19 cfg = name': { config, lib, pkgs, name, ... }: { 23 cfg = name': { config, lib, pkgs, name, ... }: {
20 imports = [ 24 imports = [
21 (my-lib.lib.withNarKey files-watcher "nixosModule") 25 (my-lib.lib.withNarKey files-watcher "nixosModule")
22 (my-lib.lib.withNarKey opendmarc "nixosModule") 26 (my-lib.lib.withNarKey opendmarc "nixosModule")
23 #FIXME: 27 (my-lib.lib.withNarKey secrets "nixosModule")
24 #(my-lib.lib.withNarKey secrets "nixosModule")
25 ]; 28 ];
26 config = lib.mkIf (name == name') { 29 config = lib.mkIf (name == name') {
27 users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; 30 users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix
new file mode 100644
index 0000000..0ee6a40
--- /dev/null
+++ b/flakes/secrets/flake.nix
@@ -0,0 +1,124 @@
1{
2 description = "Secrets handling";
3
4 outputs = { self }: {
5 nixosModule = { config, lib, pkgs, ... }: {
6 options.secrets = with lib; {
7 keys = mkOption {
8 type = types.listOf types.unspecified;
9 default = [];
10 description = "Keys to upload to server";
11 };
12 gpgKeys = mkOption {
13 type = types.listOf types.path;
14 default = [];
15 description = "GPG public keys files to encrypt to";
16 };
17 ageKeys = mkOption {
18 type = types.listOf types.str;
19 default = [];
20 description = "AGE keys to encrypt to";
21 };
22 decryptKey = mkOption {
23 type = types.str;
24 default = "/etc/ssh/ssh_host_ed25519_key";
25 description = "ed25519 key used to decrypt with AGE";
26 };
27 location = mkOption {
28 type = types.path;
29 default = "/var/secrets";
30 description = "Location where to put the keys";
31 };
32 secretsVars = mkOption {
33 type = types.path;
34 description = "Location where the secrets variables are defined, to be used to fill the templates in secrets";
35 };
36 deleteSecretsVars = mkOption {
37 type = types.bool;
38 default = false;
39 description = "Delete secrets file after deployment";
40 };
41 # Read-only variables
42 fullPaths = mkOption {
43 type = types.attrsOf types.path;
44 default = builtins.listToAttrs
45 (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
46 readOnly = true;
47 description = "set of full paths to secrets";
48 };
49 };
50
51 config = let
52 location = config.secrets.location;
53 keys = config.secrets.keys;
54 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
55 fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
56 dumpKey = v:
57 if v.isDir or false then
58 ''
59 mkdir -p secrets/${v.dest}
60 cat >> mods <<EOF
61 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
62 EOF
63 ''
64 else ''
65 mkdir -p secrets/$(dirname ${v.dest})
66 echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
67 cat >> mods <<EOF
68 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
69 EOF
70 '';
71 secrets = pkgs.runCommand "secrets.tar.enc" {
72 buildInputs = [ pkgs.gnupg pkgs.sops ];
73 } ''
74 touch mods
75 tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
76 ${builtins.concatStringsSep "\n" (map dumpKey keys)}
77 cat mods | while read u g p k; do
78 tar --no-recursion --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
79 done
80 export HOME=$(pwd)
81 fingerprints=
82 for key in ${builtins.concatStringsSep " " config.secrets.gpgKeys}; do
83 gpg --import $key 2>/dev/null
84 fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1)
85 done
86
87 sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null
88 '';
89 pathChmodExcl =
90 let
91 dirs = builtins.filter (v: v.isDir or false) keys;
92 exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs);
93 in
94 lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) ";
95 in lib.mkIf (builtins.length keys > 0) {
96 system.activationScripts.secrets = {
97 deps = [ "users" "wrappers" ];
98 text = ''
99 install -m0750 -o root -g keys -d ${location}
100 TMP=$(${pkgs.coreutils}/bin/mktemp -d)
101 TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d)
102 chmod go-rwx $TMPWORK
103 if [ -n "$TMP" -a -n "$TMPWORK" ]; then
104 install -m0750 -o root -g keys -d $TMP
105 ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt
106 SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x
107 if [ -f ${config.secrets.secretsVars} ]; then
108 SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml
109 fi
110 if [ -f $TMPWORK/vars.yml ]; then
111 find $TMP -name "*.gucci.tpl" -exec \
112 /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \;
113 fi
114 find $TMP -type d ${pathChmodExcl}-exec chown root:keys {} \; -exec chmod o-rx {} \;
115 ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location}
116 rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars}
117 fi
118 '';
119 };
120
121 };
122 };
123 };
124}
diff --git a/modules/default.nix b/modules/default.nix
index b6ac68a..cb2e7d9 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,7 +4,7 @@ let
4in 4in
5{ 5{
6 myids = (flakeCompat ../flakes/myuids).nixosModule; 6 myids = (flakeCompat ../flakes/myuids).nixosModule;
7 secrets = ./secrets.nix; 7 secrets = flakeLib.withNarKeyCompat flakeCompat ../flakes/secrets "nixosModule";
8 filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule"; 8 filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule";
9 9
10 webstats = ./webapps/webstats; 10 webstats = ./webapps/webstats;
diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix
index 88245a2..7034a91 100644
--- a/modules/duply_backup/default.nix
+++ b/modules/duply_backup/default.nix
@@ -87,6 +87,11 @@ in
87 dest = "backup/${varName k remote}/exclude"; 87 dest = "backup/${varName k remote}/exclude";
88 text = v.excludeFile; 88 text = v.excludeFile;
89 } 89 }
90 {
91 permissions = "0500";
92 dest = "backup/${varName k remote}";
93 isDir = true;
94 }
90 ]) v.remotes) config.services.duplyBackup.profiles); 95 ]) v.remotes) config.services.duplyBackup.profiles);
91 96
92 services.cron = { 97 services.cron = {
@@ -99,7 +104,7 @@ in
99 map (remote: [ 104 map (remote: [
100 '' 105 ''
101 touch ${varDir}/${varName k remote}.log 106 touch ${varDir}/${varName k remote}.log
102 ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${varName k remote}/ ${action} --force >> ${varDir}/${varName k remote}.log 107 ${pkgs.duply}/bin/duply ${config.secrets.fullPaths."backup/${varName k remote}"}/ ${action} --force >> ${varDir}/${varName k remote}.log
103 [[ $? = 0 ]] || echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2 108 [[ $? = 0 ]] || echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2
104 '' 109 ''
105 ]) v.remotes 110 ]) v.remotes
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
index ea0bef6..903f453 100644
--- a/modules/private/buildbot/default.nix
+++ b/modules/private/buildbot/default.nix
@@ -42,7 +42,7 @@ in
42 }; 42 };
43 43
44 services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList 44 services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList
45 (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include") 45 (k: project: config.secrets.fullPaths."buildbot/${project.name}/webhook-httpd-include")
46 config.myEnv.buildbot.projects; 46 config.myEnv.buildbot.projects;
47 47
48 services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' 48 services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
@@ -62,7 +62,7 @@ in
62 <RequireAny> 62 <RequireAny>
63 Require local 63 Require local
64 Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu 64 Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
65 Include /var/secrets/buildbot/${project.name}/webhook-httpd-include 65 Include ${config.secrets.fullPaths."buildbot/${project.name}/webhook-httpd-include"}
66 </RequireAny> 66 </RequireAny>
67 </Location> 67 </Location>
68 '') config.myEnv.buildbot.projects; 68 '') config.myEnv.buildbot.projects;
@@ -146,11 +146,11 @@ in
146 services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { 146 services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
147 restart = true; 147 restart = true;
148 paths = [ 148 paths = [
149 "/var/secrets/buildbot/ldap" 149 config.secrets.fullPaths."buildbot/ldap"
150 "/var/secrets/buildbot/worker_password" 150 config.secrets.fullPaths."buildbot/worker_password"
151 "/var/secrets/buildbot/ssh_key" 151 config.secrets.fullPaths."buildbot/ssh_key"
152 "/var/secrets/buildbot/${project.name}/environment_file" 152 config.secrets.fullPaths."buildbot/${project.name}/environment_file"
153 ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; 153 ] ++ lib.attrsets.mapAttrsToList (k: v: config.secrets.fullPaths."buildbot/${project.name}/${k}") project.secrets;
154 }) config.myEnv.buildbot.projects; 154 }) config.myEnv.buildbot.projects;
155 155
156 systemd.slices.buildbot = { 156 systemd.slices.buildbot = {
@@ -206,13 +206,13 @@ in
206 fi 206 fi
207 ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac 207 ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
208 # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race 208 # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race
209 install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ssh_key ${varDir}/buildbot_key || true 209 install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/ssh_key"} ${varDir}/buildbot_key || true
210 buildbot_secrets=${varDir}/${project.name}/secrets 210 buildbot_secrets=${varDir}/${project.name}/secrets
211 install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets 211 install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets
212 install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap 212 install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/ldap"} $buildbot_secrets/ldap
213 install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/worker_password $buildbot_secrets/worker_password 213 install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/worker_password"} $buildbot_secrets/worker_password
214 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList 214 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
215 (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets 215 (k: v: "install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/${project.name}/${k}"} $buildbot_secrets/${k}") project.secrets
216 )} 216 )}
217 ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} 217 ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name}
218 ''; 218 '';
@@ -247,7 +247,7 @@ in
247 SupplementaryGroups = "keys"; 247 SupplementaryGroups = "keys";
248 WorkingDirectory = "${varDir}/${project.name}"; 248 WorkingDirectory = "${varDir}/${project.name}";
249 ExecStart = "${buildbot}/bin/buildbot start"; 249 ExecStart = "${buildbot}/bin/buildbot start";
250 EnvironmentFile = "/var/secrets/buildbot/${project.name}/environment_file"; 250 EnvironmentFile = config.secrets.fullPaths."buildbot/${project.name}/environment_file";
251 }; 251 };
252 }) config.myEnv.buildbot.projects; 252 }) config.myEnv.buildbot.projects;
253 }; 253 };
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 36edaeb..75ea747 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -169,14 +169,14 @@ in {
169 mysql = { 169 mysql = {
170 text = '' 170 text = ''
171 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ 171 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
172 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam 172 auth required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
173 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam 173 account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
174 ''; 174 '';
175 }; 175 };
176 mysql_replication = { 176 mysql_replication = {
177 text = '' 177 text = ''
178 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication 178 auth required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
179 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication 179 account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
180 ''; 180 '';
181 }; 181 };
182 }; 182 };
diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix
index b89c764..e857c41 100644
--- a/modules/private/databases/mariadb_replication.nix
+++ b/modules/private/databases/mariadb_replication.nix
@@ -140,7 +140,7 @@ in
140 140
141 filename=${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).sql 141 filename=${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).sql
142 ${hcfg.package}/bin/mysqldump \ 142 ${hcfg.package}/bin/mysqldump \
143 --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump \ 143 --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump"} \
144 -S /run/mysqld_${name}/mysqld.sock \ 144 -S /run/mysqld_${name}/mysqld.sock \
145 --gtid \ 145 --gtid \
146 --master-data \ 146 --master-data \
@@ -194,7 +194,7 @@ in
194 if ! test -e ${dataDir}/mysql; then 194 if ! test -e ${dataDir}/mysql; then
195 if ! test -e ${dataDir}/initial.sql; then 195 if ! test -e ${dataDir}/initial.sql; then
196 ${hcfg.package}/bin/mysqldump \ 196 ${hcfg.package}/bin/mysqldump \
197 --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump_remote \ 197 --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump_remote"} \
198 -h ${hcfg.host} \ 198 -h ${hcfg.host} \
199 -P ${hcfg.port} \ 199 -P ${hcfg.port} \
200 --ssl \ 200 --ssl \
@@ -235,7 +235,7 @@ in
235 cat \ 235 cat \
236 ${sql_before} \ 236 ${sql_before} \
237 ${dataDir}/initial.sql \ 237 ${dataDir}/initial.sql \
238 ${config.secrets.location}/mysql_replication/${name}/slave_init_commands \ 238 ${config.secrets.fullPaths."mysql_replication/${name}/slave_init_commands"} \
239 | ${hcfg.package}/bin/mysql \ 239 | ${hcfg.package}/bin/mysql \
240 --defaults-file=/etc/mysql/${name}_my.cnf \ 240 --defaults-file=/etc/mysql/${name}_my.cnf \
241 -S /run/mysqld_${name}/mysqld.sock \ 241 -S /run/mysqld_${name}/mysqld.sock \
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index e00f4c2..f4851b5 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -98,7 +98,14 @@ in
98 permissions = "0400"; 98 permissions = "0400";
99 user = "openldap"; 99 user = "openldap";
100 group = "openldap"; 100 group = "openldap";
101 text = builtins.readFile "${cfg.accessFile}"; 101 text = builtins.readFile cfg.accessFile;
102 }
103 {
104 dest = "ldap";
105 permissions = "0500";
106 user = "openldap";
107 group = "openldap";
108 isDir = true;
102 } 109 }
103 ]; 110 ];
104 users.users.openldap.extraGroups = [ "keys" ]; 111 users.users.openldap.extraGroups = [ "keys" ];
@@ -115,7 +122,7 @@ in
115 122
116 services.filesWatcher.openldap = { 123 services.filesWatcher.openldap = {
117 restart = true; 124 restart = true;
118 paths = [ "${config.secrets.location}/ldap/" ]; 125 paths = [ config.secrets.fullPaths."ldap" ];
119 }; 126 };
120 127
121 services.openldap = { 128 services.openldap = {
@@ -132,9 +139,9 @@ in
132 overlay syncprov 139 overlay syncprov
133 syncprov-checkpoint 100 10 140 syncprov-checkpoint 100 10
134 141
135 include ${config.secrets.location}/ldap/access 142 include ${config.secrets.fullPaths."ldap/access"}
136 ''; 143 '';
137 rootpwFile = "${config.secrets.location}/ldap/password"; 144 rootpwFile = config.secrets.fullPaths."ldap/password";
138 suffix = cfg.baseDn; 145 suffix = cfg.baseDn;
139 rootdn = cfg.rootDn; 146 rootdn = cfg.rootDn;
140 database = "hdb"; 147 database = "hdb";
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix
index df4101b..350eecf 100644
--- a/modules/private/databases/openldap_replication.nix
+++ b/modules/private/databases/openldap_replication.nix
@@ -23,7 +23,7 @@ let
23 index uid pres,eq 23 index uid pres,eq
24 index entryUUID eq 24 index entryUUID eq
25 25
26 include ${config.secrets.location}/openldap_replication/${name}/replication_config 26 include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"}
27 ''; 27 '';
28in 28in
29{ 29{
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index c442a63..e73bf69 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -214,14 +214,14 @@ in {
214 in { 214 in {
215 postgresql = { 215 postgresql = {
216 text = '' 216 text = ''
217 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam 217 auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
218 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam 218 account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"}
219 ''; 219 '';
220 }; 220 };
221 postgresql_replication = { 221 postgresql_replication = {
222 text = '' 222 text = ''
223 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication 223 auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
224 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication 224 account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"}
225 ''; 225 '';
226 }; 226 };
227 }; 227 };
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index bc6460f..5c5b8b0 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -49,7 +49,7 @@ in {
49 decrypt = true; 49 decrypt = true;
50 source = "0.0.0.0:16379"; 50 source = "0.0.0.0:16379";
51 target = "/run/redis/redis.sock"; 51 target = "/run/redis/redis.sock";
52 keyfile = "${config.secrets.location}/redis/spiped_keyfile"; 52 keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
53 }; 53 };
54 }; 54 };
55 systemd.services.spiped_redis = { 55 systemd.services.spiped_redis = {
@@ -70,7 +70,7 @@ in {
70 70
71 services.filesWatcher.predixy = { 71 services.filesWatcher.predixy = {
72 restart = true; 72 restart = true;
73 paths = [ "${config.secrets.location}/redis/predixy.conf" ]; 73 paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
74 }; 74 };
75 75
76 networking.firewall.allowedTCPPorts = [ 7617 16379 ]; 76 networking.firewall.allowedTCPPorts = [ 7617 16379 ];
@@ -126,7 +126,7 @@ in {
126 SupplementaryGroups = "keys"; 126 SupplementaryGroups = "keys";
127 Type = "simple"; 127 Type = "simple";
128 128
129 ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; 129 ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
130 }; 130 };
131 131
132 }; 132 };
diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix
index a3fe3bb..3caa7e9 100644
--- a/modules/private/databases/redis_replication.nix
+++ b/modules/private/databases/redis_replication.nix
@@ -64,7 +64,7 @@ in
64 encrypt = true; 64 encrypt = true;
65 source = "127.0.0.1:16379"; 65 source = "127.0.0.1:16379";
66 target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379"; 66 target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379";
67 keyfile = "${config.secrets.location}/redis/spiped_eldiron_keyfile"; 67 keyfile = config.secrets.fullPaths."redis/spiped_eldiron_keyfile";
68 }; 68 };
69 }; 69 };
70 70
@@ -162,7 +162,7 @@ in
162 unitConfig.RequiresMountsFor = dataDir; 162 unitConfig.RequiresMountsFor = dataDir;
163 163
164 serviceConfig = { 164 serviceConfig = {
165 ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.location}/redis_replication/${name}/config"; 165 ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.fullPaths."redis_replication/${name}/config"}";
166 User = "redis"; 166 User = "redis";
167 RuntimeDirectory = "redis_${name}"; 167 RuntimeDirectory = "redis_${name}";
168 }; 168 };
diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index 7c59b43..32c52a9 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -10,7 +10,7 @@
10 ) listOfAttrs 10 ) listOfAttrs
11 ) [{}] (attrNames attrsOfLists); 11 ) [{}] (attrNames attrsOfLists);
12 cfg = config.services.bind; 12 cfg = config.services.bind;
13 keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys)); 13 keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"${config.secrets.fullPaths."bind/${v}.key"}\";") (builtins.attrNames config.myEnv.dns.keys));
14 cartProduct = lib.foldr 14 cartProduct = lib.foldr
15 (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); }) 15 (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); })
16 {} 16 {}
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 233031a..07db0f4 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -75,7 +75,7 @@ in
75 75
76 services.filesWatcher.pure-ftpd = { 76 services.filesWatcher.pure-ftpd = {
77 restart = true; 77 restart = true;
78 paths = [ "/var/secrets/pure-ftpd-ldap" ]; 78 paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ];
79 }; 79 };
80 80
81 systemd.services.pure-ftpd = let 81 systemd.services.pure-ftpd = let
@@ -94,7 +94,7 @@ in
94 SyslogFacility ftp 94 SyslogFacility ftp
95 DontResolve yes 95 DontResolve yes
96 MaxIdleTime 15 96 MaxIdleTime 15
97 LDAPConfigFile /var/secrets/pure-ftpd-ldap 97 LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"}
98 LimitRecursion 10000 8 98 LimitRecursion 10000 8
99 AnonymousCanCreateDirs no 99 AnonymousCanCreateDirs no
100 MaxLoad 4 100 MaxLoad 4
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 4291993..172e216 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -19,6 +19,13 @@
19 config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { 19 config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
20 secrets.keys = [ 20 secrets.keys = [
21 { 21 {
22 dest = "opendkim";
23 isDir = true;
24 user = config.services.opendkim.user;
25 group = config.services.opendkim.group;
26 permissions = "0550";
27 }
28 {
22 dest = "opendkim/eldiron.private"; 29 dest = "opendkim/eldiron.private";
23 user = config.services.opendkim.user; 30 user = config.services.opendkim.user;
24 group = config.services.opendkim.group; 31 group = config.services.opendkim.group;
@@ -45,7 +52,7 @@
45 ) 52 )
46 config.myEnv.dns.masterZones 53 config.myEnv.dns.masterZones
47 )); 54 ));
48 keyPath = "${config.secrets.location}/opendkim"; 55 keyPath = config.secrets.fullPaths."opendkim";
49 selector = "eldiron"; 56 selector = "eldiron";
50 configFile = pkgs.writeText "opendkim.conf" '' 57 configFile = pkgs.writeText "opendkim.conf" ''
51 SubDomains yes 58 SubDomains yes
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 70c3f46..de5e59d 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -220,7 +220,7 @@
220 fi 220 fi
221 ''; 221 '';
222 scripts = lib.attrsets.mapAttrs (n: v: 222 scripts = lib.attrsets.mapAttrs (n: v:
223 toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; }) 223 toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; })
224 ) config.myEnv.mail.scripts // { 224 ) config.myEnv.mail.scripts // {
225 testmail = pkgs.writeScript "testmail" '' 225 testmail = pkgs.writeScript "testmail" ''
226 #! ${pkgs.stdenv.shell} 226 #! ${pkgs.stdenv.shell}
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix
index a930a7d..28032a4 100644
--- a/modules/private/monitoring/objects_backup-2.nix
+++ b/modules/private/monitoring/objects_backup-2.nix
@@ -62,7 +62,7 @@ in
62 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; }; 62 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; };
63 service_description = "Mysql replication for eldiron is up to date"; 63 service_description = "Mysql replication for eldiron is up to date";
64 use = "local-service"; 64 use = "local-service";
65 check_command = ["check_mysql_replication" "/run/mysqld_eldiron/mysqld.sock" "/var/secrets/mysql_replication/eldiron/client"]; 65 check_command = ["check_mysql_replication" "/run/mysqld_eldiron/mysqld.sock" config.secrets.fullPaths."mysql_replication/eldiron/client"];
66 } 66 }
67 { 67 {
68 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases,webstatus-backup"; }; 68 passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases,webstatus-backup"; };
@@ -96,7 +96,7 @@ in
96 "check_openldap_replication" 96 "check_openldap_replication"
97 hcfg.url 97 hcfg.url
98 hcfg.dn 98 hcfg.dn
99 "${config.secrets.location}/openldap_replication/eldiron/replication_password" 99 config.secrets.fullPaths."openldap_replication/eldiron/replication_password"
100 hcfg.base 100 hcfg.base
101 ldapConfig 101 ldapConfig
102 ]; 102 ];
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix
index 1e6e666..f2e87bb 100644
--- a/modules/private/mpd.nix
+++ b/modules/private/mpd.nix
@@ -26,7 +26,7 @@
26 systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; 26 systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
27 services.filesWatcher.mpd = { 27 services.filesWatcher.mpd = {
28 restart = true; 28 restart = true;
29 paths = [ "/var/secrets/mpd-config" ]; 29 paths = [ config.secrets.fullPaths."mpd-config" ];
30 }; 30 };
31 31
32 services.mpd = { 32 services.mpd = {
@@ -34,7 +34,7 @@
34 network.listenAddress = "any"; 34 network.listenAddress = "any";
35 musicDirectory = config.myEnv.mpd.folder; 35 musicDirectory = config.myEnv.mpd.folder;
36 extraConfig = '' 36 extraConfig = ''
37 include "/var/secrets/mpd-config" 37 include "${config.secrets.fullPaths."mpd-config"}"
38 audio_output { 38 audio_output {
39 type "null" 39 type "null"
40 name "No Output" 40 name "No Output"
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
index aea3ac0..ca9b6fc 100644
--- a/modules/private/ssh/default.nix
+++ b/modules/private/ssh/default.nix
@@ -61,7 +61,7 @@ in
61 system.activationScripts.sshd = { 61 system.activationScripts.sshd = {
62 deps = [ "secrets" ]; 62 deps = [ "secrets" ];
63 text = '' 63 text = ''
64 install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password 64 install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password
65 ''; 65 '';
66 }; 66 };
67 # ssh is strict about parent directory having correct rights, don't 67 # ssh is strict about parent directory having correct rights, don't
diff --git a/modules/private/system.nix b/modules/private/system.nix
index c7e277c..8be7368 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -1,6 +1,14 @@
1{ pkgs, lib, config, name, nodes, ... }: 1{ pkgs, lib, config, name, nodes, ... }:
2{ 2{
3 config = { 3 config = {
4 deployment.secrets."secret_vars.yml" = {
5 source = builtins.toString ../../nixops/secrets/vars.yml;
6 destination = config.secrets.secretsVars;
7 owner.user = "root";
8 owner.group = "root";
9 permissions = "0400";
10 };
11
4 networking.extraHosts = builtins.concatStringsSep "\n" 12 networking.extraHosts = builtins.concatStringsSep "\n"
5 (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); 13 (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
6 14
@@ -9,6 +17,7 @@
9 secrets.gpgKeys = [ 17 secrets.gpgKeys = [
10 ../../nixops/public_keys/Immae.pub 18 ../../nixops/public_keys/Immae.pub
11 ]; 19 ];
20 secrets.secretsVars = "/run/keys/vars.yml";
12 21
13 services.openssh.enable = true; 22 services.openssh.enable = true;
14 23
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 6c570c8..0830f18 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -125,7 +125,7 @@
125 services.netdata.config.health."enabled" = "no"; 125 services.netdata.config.health."enabled" = "no";
126 services.netdata.config.web.mode = "none"; 126 services.netdata.config.web.mode = "none";
127 users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; 127 users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
128 environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf"; 128 environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
129 secrets.keys = [ 129 secrets.keys = [
130 { 130 {
131 dest = "netdata-stream.conf"; 131 dest = "netdata-stream.conf";
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix
index e335080..91d30fd 100644
--- a/modules/private/system/monitoring-1.nix
+++ b/modules/private/system/monitoring-1.nix
@@ -43,7 +43,7 @@
43 services.netdata.config.web."allow netdata.conf from" = "fd*"; 43 services.netdata.config.web."allow netdata.conf from" = "fd*";
44 services.netdata.config.web."allow management from" = "fd*"; 44 services.netdata.config.web."allow management from" = "fd*";
45 networking.firewall.allowedTCPPorts = [ 19999 ]; 45 networking.firewall.allowedTCPPorts = [ 19999 ];
46 environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf"; 46 environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
47 47
48 secrets.keys = [ 48 secrets.keys = [
49 { 49 {
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 0148650..491e215 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -53,7 +53,7 @@ let
53 chmod go-rwx /var/lib/nixos/sponsored_users 53 chmod go-rwx /var/lib/nixos/sponsored_users
54 echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users 54 echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
55 (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \ 55 (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
56 -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF 56 -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
57 dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org 57 dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
58 objectClass: inetOrgPerson 58 objectClass: inetOrgPerson
59 cn: $1 59 cn: $1
@@ -74,7 +74,7 @@ let
74 userdel -r "$1" 74 userdel -r "$1"
75 sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users 75 sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
76 ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \ 76 ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
77 -y /var/secrets/ldap/sync_password \ 77 -y ${config.secrets.fullPaths."ldap/sync_password"} \
78 "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org" 78 "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
79 echo "deleted" 79 echo "deleted"
80 exit 0 80 exit 0
@@ -103,7 +103,7 @@ let
103 if [ "$1" = "$mygroup" ]; then 103 if [ "$1" = "$mygroup" ]; then
104 log "resets web password" 104 log "resets web password"
105 ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \ 105 ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
106 -y /var/secrets/ldap/sync_password \ 106 -y ${config.secrets.fullPaths."ldap/sync_password"} \
107 -S "uid=$mygroup,ou=users,dc=salle-s,dc=org" 107 -S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
108 else 108 else
109 IFS=","; 109 IFS=",";
@@ -111,7 +111,7 @@ let
111 if [ "$u" = "$1" ]; then 111 if [ "$u" = "$1" ]; then
112 log "resets web password of $1" 112 log "resets web password of $1"
113 ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \ 113 ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
114 -y /var/secrets/ldap/sync_password \ 114 -y ${config.secrets.fullPaths."ldap/sync_password"} \
115 -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org" 115 -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
116 exit 0 116 exit 0
117 fi 117 fi
@@ -221,10 +221,10 @@ in
221 deps = [ "secrets" "users" ]; 221 deps = [ "secrets" "users" ];
222 text = 222 text =
223 let 223 let
224 com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password"; 224 com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
225 in '' 225 in ''
226 # Add users 226 # Add users
227 ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true 227 ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
228 228
229 # Remove obsolete users 229 # Remove obsolete users
230 ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\ 230 ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
index 8748058..68ce274 100644
--- a/modules/private/system/quatresaisons/databases.nix
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -2,7 +2,7 @@
2{ 2{
3 config = let 3 config = let
4 serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; 4 serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
5 phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; 5 phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
6 in { 6 in {
7 services.postgresql.enable = true; 7 services.postgresql.enable = true;
8 services.postgresql.package = pkgs.postgresql_12; 8 services.postgresql.package = pkgs.postgresql_12;
@@ -94,7 +94,7 @@
94 by anonymous auth 94 by anonymous auth
95 by * break 95 by * break
96 ''; 96 '';
97 rootpwFile = "${config.secrets.location}/ldap/password"; 97 rootpwFile = config.secrets.fullPaths."ldap/password";
98 suffix = "dc=salle-s,dc=org"; 98 suffix = "dc=salle-s,dc=org";
99 rootdn = "cn=root,dc=salle-s,dc=org"; 99 rootdn = "cn=root,dc=salle-s,dc=org";
100 database = "hdb"; 100 database = "hdb";
@@ -120,7 +120,7 @@
120 group = "wwwrun"; 120 group = "wwwrun";
121 settings = 121 settings =
122 let 122 let
123 basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ]; 123 basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
124 in { 124 in {
125 "listen.owner" = "wwwrun"; 125 "listen.owner" = "wwwrun";
126 "listen.group" = "wwwrun"; 126 "listen.group" = "wwwrun";
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index a678374..b3f1b7b 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -161,7 +161,7 @@ in {
161 dateformat=${dateFormat} 161 dateformat=${dateFormat}
162 ''; 162 '';
163 }) env.taskwarrior-web); 163 }) env.taskwarrior-web);
164 services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ]; 164 services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ];
165 services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ]; 165 services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
166 services.websites.env.tools.vhostConfs.task = { 166 services.websites.env.tools.vhostConfs.task = {
167 certName = "eldiron"; 167 certName = "eldiron";
@@ -176,7 +176,7 @@ in {
176 <FilesMatch "\.php$"> 176 <FilesMatch "\.php$">
177 SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" 177 SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
178 </FilesMatch> 178 </FilesMatch>
179 Include /var/secrets/webapps/tools-taskwarrior-web 179 Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"}
180 </Directory> 180 </Directory>
181 '' 181 ''
182 '' 182 ''
@@ -328,7 +328,7 @@ in {
328 after = [ "network.target" ]; 328 after = [ "network.target" ];
329 path = [ pkgs.taskwarrior ]; 329 path = [ pkgs.taskwarrior ];
330 330
331 environment.TASKRC = "/var/secrets/webapps/tools-taskwarrior/${name}-taskrc"; 331 environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc";
332 environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}"; 332 environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
333 environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile"; 333 environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
334 environment.LC_ALL = "fr_FR.UTF-8"; 334 environment.LC_ALL = "fr_FR.UTF-8";
diff --git a/modules/private/websites/connexionswing/app/default.nix b/modules/private/websites/connexionswing/app/default.nix
index 31e88db..b14b03b 100644
--- a/modules/private/websites/connexionswing/app/default.nix
+++ b/modules/private/websites/connexionswing/app/default.nix
@@ -1,6 +1,4 @@
1{ environment ? "prod" 1{ environment, varDir, secretsPath
2, varDir ? "/var/lib/connexionswing_${environment}"
3, secretsPath ? "/var/secrets/webapps/${environment}-connexionswing"
4, composerEnv, fetchurl, fetchgit, sources }: 2, composerEnv, fetchurl, fetchgit, sources }:
5let 3let
6 app = composerEnv.buildPackage ( 4 app = composerEnv.buildPackage (
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index 809f615..8fb6a4d 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -52,7 +52,7 @@ let
52 LDAPOpCacheTTL 600 52 LDAPOpCacheTTL 600
53 </IfModule> 53 </IfModule>
54 54
55 Include /var/secrets/apache-ldap 55 Include ${config.secrets.fullPaths."apache-ldap"}
56 ''; 56 '';
57 }; 57 };
58 global = { 58 global = {
@@ -149,9 +149,9 @@ in
149 }; 149 };
150 }; 150 };
151 151
152 services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; 152 services.filesWatcher.httpdProd.paths = [ config.secrets.fullPaths."apache-ldap" ];
153 services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ]; 153 services.filesWatcher.httpdInte.paths = [ config.secrets.fullPaths."apache-ldap" ];
154 services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ]; 154 services.filesWatcher.httpdTools.paths = [ config.secrets.fullPaths."apache-ldap" ];
155 155
156 services.websites.env.production = { 156 services.websites.env.production = {
157 enable = true; 157 enable = true;
diff --git a/modules/private/websites/florian/app/default.nix b/modules/private/websites/florian/app/default.nix
index 2ef0e86..28a7ec1 100644
--- a/modules/private/websites/florian/app/default.nix
+++ b/modules/private/websites/florian/app/default.nix
@@ -1,6 +1,4 @@
1{ environment ? "prod" 1{ environment, varDir, secretsPath
2, varDir ? "/var/lib/tellesflorian_${environment}"
3, secretsPath ? "/var/secrets/webapps/${environment}-tellesflorian"
4, composerEnv, fetchurl, sources }: 2, composerEnv, fetchurl, sources }:
5let 3let
6 app = composerEnv.buildPackage ( 4 app = composerEnv.buildPackage (
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix
index fd54f5e..8518283 100644
--- a/modules/private/websites/immae/temp.nix
+++ b/modules/private/websites/immae/temp.nix
@@ -56,7 +56,7 @@ in {
56 exec ${pkgs.webapps.surfer}/bin/surfer-server ${varDir} 56 exec ${pkgs.webapps.surfer}/bin/surfer-server ${varDir}
57 ''; 57 '';
58 serviceConfig = { 58 serviceConfig = {
59 EnvironmentFile = "/var/secrets/webapps/surfer"; 59 EnvironmentFile = config.secrets.fullPaths."webapps/surfer";
60 User = "wwwrun"; 60 User = "wwwrun";
61 Group = "wwwrun"; 61 Group = "wwwrun";
62 StateDirectory = "surfer"; 62 StateDirectory = "surfer";
diff --git a/modules/private/websites/ludivine/app/default.nix b/modules/private/websites/ludivine/app/default.nix
index 6e751b0..323b6e0 100644
--- a/modules/private/websites/ludivine/app/default.nix
+++ b/modules/private/websites/ludivine/app/default.nix
@@ -1,6 +1,4 @@
1{ environment ? "prod" 1{ environment, varDir, secretsPath
2, varDir ? "/var/lib/ludivinecassal_${environment}"
3, secretsPath ? "/var/secrets/webapps/${environment}-ludivinecassal"
4, composerEnv, fetchurl, fetchgit, imagemagick, sass, ruby, sources }: 2, composerEnv, fetchurl, fetchgit, imagemagick, sass, ruby, sources }:
5let 3let
6 app = composerEnv.buildPackage ( 4 app = composerEnv.buildPackage (
diff --git a/modules/private/websites/piedsjaloux/app/default.nix b/modules/private/websites/piedsjaloux/app/default.nix
index a3d48bd..4525a18 100644
--- a/modules/private/websites/piedsjaloux/app/default.nix
+++ b/modules/private/websites/piedsjaloux/app/default.nix
@@ -1,6 +1,4 @@
1{ environment ? "prod" 1{ environment, varDir, secretsPath
2, varDir ? "/var/lib/piedsjaloux_${environment}"
3, secretsPath ? "/var/secrets/webapps/${environment}-piedsjaloux"
4, composerEnv, fetchurl, fetchgit, sources }: 2, composerEnv, fetchurl, fetchgit, sources }:
5let 3let
6 app = composerEnv.buildPackage ( 4 app = composerEnv.buildPackage (
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix
index c374940..471858a 100644
--- a/modules/private/websites/tools/cloud/default.nix
+++ b/modules/private/websites/tools/cloud/default.nix
@@ -157,7 +157,7 @@ in {
157 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: 157 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v:
158 "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" 158 "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json"
159 ) confs)} 159 ) confs)}
160 #install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php 160 #install -D -m 0600 -o wwwrun -g wwwrun -T ${config.secrets.fullPaths."webapps/tools-nextcloud"} ${varDir}/config/config.php
161 ''; 161 '';
162 }; 162 };
163 # FIXME: add a warning when config.php changes 163 # FIXME: add a warning when config.php changes
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix
index 9d6cd21..eeac1b5 100644
--- a/modules/private/websites/tools/dav/davical.nix
+++ b/modules/private/websites/tools/dav/davical.nix
@@ -1,4 +1,4 @@
1{ stdenv, fetchurl, gettext, writeText, env, awl, davical }: 1{ stdenv, fetchurl, gettext, writeText, env, awl, davical, config }:
2rec { 2rec {
3 activationScript = { 3 activationScript = {
4 deps = [ "httpd" ]; 4 deps = [ "httpd" ];
@@ -65,7 +65,7 @@ rec {
65 include('drivers_ldap.php'); 65 include('drivers_ldap.php');
66 ''; 66 '';
67 }]; 67 }];
68 webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; }; 68 webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; };
69 webRoot = "${webapp}/htdocs"; 69 webRoot = "${webapp}/htdocs";
70 apache = rec { 70 apache = rec {
71 user = "wwwrun"; 71 user = "wwwrun";
@@ -110,7 +110,7 @@ rec {
110 }; 110 };
111 phpFpm = rec { 111 phpFpm = rec {
112 serviceDeps = [ "postgresql.service" "openldap.service" ]; 112 serviceDeps = [ "postgresql.service" "openldap.service" ];
113 basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; 113 basedir = builtins.concatStringsSep ":" [ webapp config.secrets.fullPaths."webapps/dav-davical" awl ];
114 pool = { 114 pool = {
115 "listen.owner" = apache.user; 115 "listen.owner" = apache.user;
116 "listen.group" = apache.group; 116 "listen.group" = apache.group;
diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix
index f53cf58..c54e152 100644
--- a/modules/private/websites/tools/dav/default.nix
+++ b/modules/private/websites/tools/dav/default.nix
@@ -18,6 +18,7 @@ let
18 davical = pkgs.callPackage ./davical.nix { 18 davical = pkgs.callPackage ./davical.nix {
19 env = config.myEnv.tools.davical; 19 env = config.myEnv.tools.davical;
20 inherit (pkgs.webapps) davical awl; 20 inherit (pkgs.webapps) davical awl;
21 inherit config;
21 }; 22 };
22 23
23 cfg = config.myServices.websites.tools.dav; 24 cfg = config.myServices.websites.tools.dav;
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix
index 5d2b19f..663fe88 100644
--- a/modules/private/websites/tools/diaspora/default.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -18,6 +18,13 @@ in {
18 18
19 secrets.keys = [ 19 secrets.keys = [
20 { 20 {
21 dest = "webapps/diaspora";
22 isDir = true;
23 user = "diaspora";
24 group = "diaspora";
25 permissions = "0500";
26 }
27 {
21 dest = "webapps/diaspora/diaspora.yml"; 28 dest = "webapps/diaspora/diaspora.yml";
22 user = "diaspora"; 29 user = "diaspora";
23 group = "diaspora"; 30 group = "diaspora";
@@ -146,7 +153,7 @@ in {
146 package = pkgs.webapps.diaspora.override { ldap = true; }; 153 package = pkgs.webapps.diaspora.override { ldap = true; };
147 dataDir = "/var/lib/diaspora_immae"; 154 dataDir = "/var/lib/diaspora_immae";
148 adminEmail = "diaspora@tools.immae.eu"; 155 adminEmail = "diaspora@tools.immae.eu";
149 configDir = "/var/secrets/webapps/diaspora"; 156 configDir = config.secrets.fullPaths."webapps/diaspora";
150 }; 157 };
151 158
152 services.filesWatcher.diaspora = { 159 services.filesWatcher.diaspora = {
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix
index 3350a4a..64e411d 100644
--- a/modules/private/websites/tools/ether/default.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -166,9 +166,9 @@ in {
166 p.ep_timesliderdiff 166 p.ep_timesliderdiff
167 ]); 167 ]);
168 modules = []; 168 modules = [];
169 sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; 169 sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
170 apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; 170 apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
171 configFile = "/var/secrets/webapps/tools-etherpad"; 171 configFile = config.secrets.fullPaths."webapps/tools-etherpad";
172 }; 172 };
173 173
174 systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; 174 systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix
index 8b1afa8..755bab0 100644
--- a/modules/private/websites/tools/git/default.nix
+++ b/modules/private/websites/tools/git/default.nix
@@ -3,6 +3,7 @@ let
3 mantisbt = pkgs.callPackage ./mantisbt.nix { 3 mantisbt = pkgs.callPackage ./mantisbt.nix {
4 inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; 4 inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins;
5 env = config.myEnv.tools.mantisbt; 5 env = config.myEnv.tools.mantisbt;
6 inherit config;
6 }; 7 };
7 gitweb = pkgs.callPackage ./gitweb.nix { 8 gitweb = pkgs.callPackage ./gitweb.nix {
8 gitoliteDir = config.myServices.gitolite.gitoliteDir; 9 gitoliteDir = config.myServices.gitolite.gitoliteDir;
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix
index 9996d23..e6a8da7 100644
--- a/modules/private/websites/tools/git/mantisbt.nix
+++ b/modules/private/websites/tools/git/mantisbt.nix
@@ -1,4 +1,4 @@
1{ env, mantisbt_2, mantisbt_2-plugins }: 1{ env, mantisbt_2, mantisbt_2-plugins, config }:
2rec { 2rec {
3 activationScript = { 3 activationScript = {
4 deps = [ "httpd" ]; 4 deps = [ "httpd" ];
@@ -46,7 +46,7 @@ rec {
46 $g_ldap_organization = '${env.ldap.filter}'; 46 $g_ldap_organization = '${env.ldap.filter}';
47 ''; 47 '';
48 }]; 48 }];
49 webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); 49 webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]);
50 apache = rec { 50 apache = rec {
51 user = "wwwrun"; 51 user = "wwwrun";
52 group = "wwwrun"; 52 group = "wwwrun";
@@ -75,7 +75,7 @@ rec {
75 phpFpm = rec { 75 phpFpm = rec {
76 serviceDeps = [ "postgresql.service" "openldap.service" ]; 76 serviceDeps = [ "postgresql.service" "openldap.service" ];
77 basedir = builtins.concatStringsSep ":" ( 77 basedir = builtins.concatStringsSep ":" (
78 [ webRoot "/var/secrets/webapps/tools-mantisbt" ] 78 [ webRoot config.secrets.fullPaths."webapps/tools-mantisbt" ]
79 ++ webRoot.plugins); 79 ++ webRoot.plugins);
80 pool = { 80 pool = {
81 "listen.owner" = apache.user; 81 "listen.owner" = apache.user;
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix
index 4636a6c..033a587 100644
--- a/modules/private/websites/tools/mail/default.nix
+++ b/modules/private/websites/tools/mail/default.nix
@@ -3,6 +3,7 @@ let
3 roundcubemail = pkgs.callPackage ./roundcubemail.nix { 3 roundcubemail = pkgs.callPackage ./roundcubemail.nix {
4 inherit (pkgs.webapps) roundcubemail; 4 inherit (pkgs.webapps) roundcubemail;
5 env = config.myEnv.tools.roundcubemail; 5 env = config.myEnv.tools.roundcubemail;
6 inherit config;
6 }; 7 };
7 rainloop = pkgs.callPackage ./rainloop.nix { 8 rainloop = pkgs.callPackage ./rainloop.nix {
8 rainloop = pkgs.rainloop-community; 9 rainloop = pkgs.rainloop-community;
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix
index bb7dee9..7d8e733 100644
--- a/modules/private/websites/tools/mail/roundcubemail.nix
+++ b/modules/private/websites/tools/mail/roundcubemail.nix
@@ -1,4 +1,4 @@
1{ env, roundcubemail, apacheHttpd }: 1{ env, roundcubemail, apacheHttpd, config }:
2rec { 2rec {
3 varDir = "/var/lib/roundcubemail"; 3 varDir = "/var/lib/roundcubemail";
4 activationScript = { 4 activationScript = {
@@ -75,7 +75,7 @@ rec {
75 $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; 75 $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
76 ''; 76 '';
77 }]; 77 }];
78 webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); 78 webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]);
79 apache = rec { 79 apache = rec {
80 user = "wwwrun"; 80 user = "wwwrun";
81 group = "wwwrun"; 81 group = "wwwrun";
@@ -99,7 +99,7 @@ rec {
99 phpFpm = rec { 99 phpFpm = rec {
100 serviceDeps = [ "postgresql.service" ]; 100 serviceDeps = [ "postgresql.service" ];
101 basedir = builtins.concatStringsSep ":" ( 101 basedir = builtins.concatStringsSep ":" (
102 [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] 102 [ webRoot config.secrets.fullPaths."webapps/tools-roundcube" varDir ]
103 ++ webRoot.plugins 103 ++ webRoot.plugins
104 ++ webRoot.skins); 104 ++ webRoot.skins);
105 pool = { 105 pool = {
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
index 80d7431..cea8710 100644
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -62,7 +62,7 @@ in {
62 }]; 62 }];
63 services.mastodon = { 63 services.mastodon = {
64 enable = true; 64 enable = true;
65 configFile = "/var/secrets/webapps/tools-mastodon"; 65 configFile = config.secrets.fullPaths."webapps/tools-mastodon";
66 socketsPrefix = "live_immae"; 66 socketsPrefix = "live_immae";
67 dataDir = "/var/lib/mastodon_immae"; 67 dataDir = "/var/lib/mastodon_immae";
68 }; 68 };
diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix
index 719d3d3..6d6a5a4 100644
--- a/modules/private/websites/tools/mgoblin/default.nix
+++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -84,7 +84,7 @@ in {
84 services.mediagoblin = { 84 services.mediagoblin = {
85 enable = true; 85 enable = true;
86 package = pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch]); 86 package = pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch]);
87 configFile = "/var/secrets/webapps/tools-mediagoblin"; 87 configFile = config.secrets.fullPaths."webapps/tools-mediagoblin";
88 }; 88 };
89 services.filesWatcher.mediagoblin-web = { 89 services.filesWatcher.mediagoblin-web = {
90 restart = true; 90 restart = true;
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix
index d2cbe40..7dcc998 100644
--- a/modules/private/websites/tools/peertube/default.nix
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -14,7 +14,7 @@ in {
14 }; 14 };
15 services.peertube = { 15 services.peertube = {
16 enable = true; 16 enable = true;
17 configFile = "/var/secrets/webapps/tools-peertube"; 17 configFile = config.secrets.fullPaths."webapps/tools-peertube";
18 }; 18 };
19 users.users.peertube.extraGroups = [ "keys" ]; 19 users.users.peertube.extraGroups = [ "keys" ];
20 20
diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix
index df2b58d..5afd639 100644
--- a/modules/private/websites/tools/performance/default.nix
+++ b/modules/private/websites/tools/performance/default.nix
@@ -80,7 +80,7 @@ in
80 "pm.min_spare_servers" = "1"; 80 "pm.min_spare_servers" = "1";
81 "pm.max_spare_servers" = "10"; 81 "pm.max_spare_servers" = "10";
82 82
83 "php_admin_value[open_basedir]" = "${package}:/tmp:/var/secrets/status_engine_ui"; 83 "php_admin_value[open_basedir]" = "${package}:/tmp:${config.secrets.fullPaths."status_engine_ui"}";
84 }; 84 };
85 phpPackage = pkgs.php74; 85 phpPackage = pkgs.php74;
86 }; 86 };
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index ac92ef4..ada6253 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -12,8 +12,10 @@ let
12 inherit (pkgs.webapps) ttrss ttrss-plugins; 12 inherit (pkgs.webapps) ttrss ttrss-plugins;
13 env = config.myEnv.tools.ttrss; 13 env = config.myEnv.tools.ttrss;
14 php = pkgs.php72; 14 php = pkgs.php72;
15 inherit config;
15 }; 16 };
16 kanboard = pkgs.callPackage ./kanboard.nix { 17 kanboard = pkgs.callPackage ./kanboard.nix {
18 inherit config;
17 env = config.myEnv.tools.kanboard; 19 env = config.myEnv.tools.kanboard;
18 }; 20 };
19 wallabag = pkgs.callPackage ./wallabag.nix { 21 wallabag = pkgs.callPackage ./wallabag.nix {
@@ -23,10 +25,12 @@ let
23 }; 25 };
24 }; 26 };
25 env = config.myEnv.tools.wallabag; 27 env = config.myEnv.tools.wallabag;
28 inherit config;
26 }; 29 };
27 yourls = pkgs.callPackage ./yourls.nix { 30 yourls = pkgs.callPackage ./yourls.nix {
28 inherit (pkgs.webapps) yourls yourls-plugins; 31 inherit (pkgs.webapps) yourls yourls-plugins;
29 env = config.myEnv.tools.yourls; 32 env = config.myEnv.tools.yourls;
33 inherit config;
30 }; 34 };
31 rompr = pkgs.callPackage ./rompr.nix { 35 rompr = pkgs.callPackage ./rompr.nix {
32 inherit (pkgs.webapps) rompr; 36 inherit (pkgs.webapps) rompr;
@@ -34,6 +38,7 @@ let
34 }; 38 };
35 shaarli = pkgs.callPackage ./shaarli.nix { 39 shaarli = pkgs.callPackage ./shaarli.nix {
36 env = config.myEnv.tools.shaarli; 40 env = config.myEnv.tools.shaarli;
41 inherit config;
37 }; 42 };
38 dokuwiki = pkgs.callPackage ./dokuwiki.nix { 43 dokuwiki = pkgs.callPackage ./dokuwiki.nix {
39 inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; 44 inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
@@ -41,6 +46,7 @@ let
41 ldap = pkgs.callPackage ./ldap.nix { 46 ldap = pkgs.callPackage ./ldap.nix {
42 inherit (pkgs.webapps) phpldapadmin; 47 inherit (pkgs.webapps) phpldapadmin;
43 env = config.myEnv.tools.phpldapadmin; 48 env = config.myEnv.tools.phpldapadmin;
49 inherit config;
44 }; 50 };
45 grocy = pkgs.callPackage ./grocy.nix { 51 grocy = pkgs.callPackage ./grocy.nix {
46 grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; }; 52 grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; };
@@ -56,6 +62,7 @@ let
56 }; 62 };
57 dmarc-reports = pkgs.callPackage ./dmarc_reports.nix { 63 dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
58 env = config.myEnv.tools.dmarc_reports; 64 env = config.myEnv.tools.dmarc_reports;
65 inherit config;
59 }; 66 };
60 csp-reports = pkgs.callPackage ./csp_reports.nix { 67 csp-reports = pkgs.callPackage ./csp_reports.nix {
61 env = config.myEnv.tools.csp_reports; 68 env = config.myEnv.tools.csp_reports;
@@ -188,8 +195,8 @@ in {
188 Require all granted 195 Require all granted
189 </Directory> 196 </Directory>
190 197
191 Alias /webhooks ${config.secrets.location}/webapps/webhooks 198 Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"}
192 <Directory "${config.secrets.location}/webapps/webhooks"> 199 <Directory "${config.secrets.fullPaths."webapps/webhooks"}">
193 Options -Indexes 200 Options -Indexes
194 Require all granted 201 Require all granted
195 AllowOverride None 202 AllowOverride None
@@ -271,7 +278,7 @@ in {
271 description = "Standalone MPD Web GUI written in C"; 278 description = "Standalone MPD Web GUI written in C";
272 wantedBy = [ "multi-user.target" ]; 279 wantedBy = [ "multi-user.target" ];
273 script = '' 280 script = ''
274 export MPD_PASSWORD=$(cat /var/secrets/mpd) 281 export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"})
275 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody 282 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
276 ''; 283 '';
277 }; 284 };
@@ -293,7 +300,7 @@ in {
293 300
294 services.filesWatcher.ympd = { 301 services.filesWatcher.ympd = {
295 restart = true; 302 restart = true;
296 paths = [ "/var/secrets/mpd" ]; 303 paths = [ config.secrets.fullPaths."mpd" ];
297 }; 304 };
298 305
299 services.phpfpm.pools = { 306 services.phpfpm.pools = {
@@ -313,9 +320,9 @@ in {
313 "php_value[session.name]" = "ToolsPHPSESSID"; 320 "php_value[session.name]" = "ToolsPHPSESSID";
314 "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [ 321 "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
315 "/run/wrappers/bin/sendmail" landing "/tmp" 322 "/run/wrappers/bin/sendmail" landing "/tmp"
316 "${config.secrets.location}/webapps/webhooks" 323 config.secrets.fullPaths."webapps/webhooks"
317 ]; 324 ];
318 "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf"; 325 "include" = config.secrets.fullPaths."webapps/tools-csp-reports.conf";
319 }; 326 };
320 phpEnv = { 327 phpEnv = {
321 CONTACT_EMAIL = config.myEnv.tools.contact; 328 CONTACT_EMAIL = config.myEnv.tools.contact;
@@ -438,11 +445,11 @@ in {
438 }; 445 };
439 446
440 services.websites.env.tools.watchPaths = [ 447 services.websites.env.tools.watchPaths = [
441 "/var/secrets/webapps/tools-shaarli" 448 config.secrets.fullPaths."webapps/tools-shaarli"
442 ]; 449 ];
443 services.filesWatcher.phpfpm-wallabag = { 450 services.filesWatcher.phpfpm-wallabag = {
444 restart = true; 451 restart = true;
445 paths = [ "/var/secrets/webapps/tools-wallabag" ]; 452 paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ];
446 }; 453 };
447 454
448 }; 455 };
diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix
index e264e80..5fdf0b6 100644
--- a/modules/private/websites/tools/tools/dmarc_reports.nix
+++ b/modules/private/websites/tools/tools/dmarc_reports.nix
@@ -1,4 +1,4 @@
1{ env }: 1{ env, config }:
2rec { 2rec {
3 keys = [{ 3 keys = [{
4 dest = "webapps/tools-dmarc-reports.php"; 4 dest = "webapps/tools-dmarc-reports.php";
@@ -43,7 +43,7 @@ rec {
43 }; 43 };
44 phpFpm = rec { 44 phpFpm = rec {
45 basedir = builtins.concatStringsSep ":" 45 basedir = builtins.concatStringsSep ":"
46 [ webRoot "/var/secrets/webapps/tools-dmarc-reports.php" ]; 46 [ webRoot config.secrets.fullPaths."webapps/tools-dmarc-reports.php" ];
47 pool = { 47 pool = {
48 "listen.owner" = apache.user; 48 "listen.owner" = apache.user;
49 "listen.group" = apache.group; 49 "listen.group" = apache.group;
@@ -55,7 +55,7 @@ rec {
55 "php_admin_value[open_basedir]" = "${basedir}:/tmp"; 55 "php_admin_value[open_basedir]" = "${basedir}:/tmp";
56 }; 56 };
57 phpEnv = { 57 phpEnv = {
58 SECRETS_FILE = "/var/secrets/webapps/tools-dmarc-reports.php"; 58 SECRETS_FILE = config.secrets.fullPaths."webapps/tools-dmarc-reports.php";
59 }; 59 };
60 }; 60 };
61} 61}
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix
index 0f6fefc..1a70499 100644
--- a/modules/private/websites/tools/tools/kanboard.nix
+++ b/modules/private/websites/tools/tools/kanboard.nix
@@ -1,4 +1,4 @@
1{ env, kanboard }: 1{ env, kanboard, config }:
2rec { 2rec {
3 backups = { 3 backups = {
4 rootDir = varDir; 4 rootDir = varDir;
@@ -42,7 +42,7 @@ rec {
42 ?> 42 ?>
43 ''; 43 '';
44 }]; 44 }];
45 webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; }; 45 webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; };
46 apache = rec { 46 apache = rec {
47 user = "wwwrun"; 47 user = "wwwrun";
48 group = "wwwrun"; 48 group = "wwwrun";
@@ -68,7 +68,7 @@ rec {
68 }; 68 };
69 phpFpm = rec { 69 phpFpm = rec {
70 serviceDeps = [ "postgresql.service" "openldap.service" ]; 70 serviceDeps = [ "postgresql.service" "openldap.service" ];
71 basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; 71 basedir = builtins.concatStringsSep ":" [ webRoot varDir config.secrets.fullPaths."webapps/tools-kanboard" ];
72 pool = { 72 pool = {
73 "listen.owner" = apache.user; 73 "listen.owner" = apache.user;
74 "listen.group" = apache.group; 74 "listen.group" = apache.group;
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix
index 0c1a21f..cb90edc 100644
--- a/modules/private/websites/tools/tools/ldap.nix
+++ b/modules/private/websites/tools/tools/ldap.nix
@@ -1,4 +1,4 @@
1{ lib, php, env, writeText, phpldapadmin }: 1{ lib, php, env, writeText, phpldapadmin, config }:
2rec { 2rec {
3 activationScript = { 3 activationScript = {
4 deps = [ "httpd" ]; 4 deps = [ "httpd" ];
@@ -32,7 +32,7 @@ rec {
32 $servers->setValue('login','fallback_dn',true); 32 $servers->setValue('login','fallback_dn',true);
33 ''; 33 '';
34 }]; 34 }];
35 webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; 35 webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
36 apache = rec { 36 apache = rec {
37 user = "wwwrun"; 37 user = "wwwrun";
38 group = "wwwrun"; 38 group = "wwwrun";
@@ -54,7 +54,7 @@ rec {
54 }; 54 };
55 phpFpm = rec { 55 phpFpm = rec {
56 serviceDeps = [ "openldap.service" ]; 56 serviceDeps = [ "openldap.service" ];
57 basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; 57 basedir = builtins.concatStringsSep ":" [ webRoot config.secrets.fullPaths."webapps/tools-ldap" ];
58 pool = { 58 pool = {
59 "listen.owner" = apache.user; 59 "listen.owner" = apache.user;
60 "listen.group" = apache.group; 60 "listen.group" = apache.group;
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix
index d11f525..80c6a89 100644
--- a/modules/private/websites/tools/tools/shaarli.nix
+++ b/modules/private/websites/tools/tools/shaarli.nix
@@ -1,4 +1,4 @@
1{ lib, env, stdenv, fetchurl, shaarli }: 1{ lib, env, stdenv, fetchurl, shaarli, config }:
2let 2let
3 varDir = "/var/lib/shaarli"; 3 varDir = "/var/lib/shaarli";
4in rec { 4in rec {
@@ -21,7 +21,7 @@ in rec {
21 vhostConf = socket: '' 21 vhostConf = socket: ''
22 Alias /Shaarli "${root}" 22 Alias /Shaarli "${root}"
23 23
24 Include /var/secrets/webapps/tools-shaarli 24 Include ${config.secrets.fullPaths."webapps/tools-shaarli"}
25 <Location /Shaarli> 25 <Location /Shaarli>
26 Header set Access-Control-Allow-Origin "*" 26 Header set Access-Control-Allow-Origin "*"
27 Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" 27 Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix
index ce1ab8e..eb1d415 100644
--- a/modules/private/websites/tools/tools/ttrss.nix
+++ b/modules/private/websites/tools/tools/ttrss.nix
@@ -1,4 +1,4 @@
1{ php, env, ttrss, ttrss-plugins }: 1{ php, env, ttrss, ttrss-plugins, config }:
2rec { 2rec {
3 backups = { 3 backups = {
4 rootDir = varDir; 4 rootDir = varDir;
@@ -88,7 +88,7 @@ rec {
88 define('LDAP_AUTH_DEBUG', FALSE); 88 define('LDAP_AUTH_DEBUG', FALSE);
89 ''; 89 '';
90 }]; 90 }];
91 webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (p: [ 91 webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [
92 p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua 92 p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua
93 (p.af_feedmod.override { patched = true; }) 93 (p.af_feedmod.override { patched = true; })
94 (p.feediron.override { patched = true; }) 94 (p.feediron.override { patched = true; })
@@ -116,7 +116,7 @@ rec {
116 phpFpm = rec { 116 phpFpm = rec {
117 serviceDeps = [ "postgresql.service" "openldap.service" ]; 117 serviceDeps = [ "postgresql.service" "openldap.service" ];
118 basedir = builtins.concatStringsSep ":" ( 118 basedir = builtins.concatStringsSep ":" (
119 [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] 119 [ webRoot config.secrets.fullPaths."webapps/tools-ttrss" varDir ]
120 ++ webRoot.plugins); 120 ++ webRoot.plugins);
121 pool = { 121 pool = {
122 "listen.owner" = apache.user; 122 "listen.owner" = apache.user;
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix
index 1cb0645..1a604c7 100644
--- a/modules/private/websites/tools/tools/wallabag.nix
+++ b/modules/private/websites/tools/tools/wallabag.nix
@@ -1,4 +1,4 @@
1{ env, wallabag, mylibs }: 1{ env, wallabag, mylibs, config }:
2rec { 2rec {
3 backups = { 3 backups = {
4 rootDir = varDir; 4 rootDir = varDir;
@@ -69,7 +69,7 @@ rec {
69 arguments: ['/run/wrappers/bin/sendmail -bs'] 69 arguments: ['/run/wrappers/bin/sendmail -bs']
70 ''; 70 '';
71 }]; 71 }];
72 webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; }; 72 webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; };
73 activationScript = '' 73 activationScript = ''
74 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ 74 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
75 ${varDir}/var ${varDir}/data/db ${varDir}/assets/images 75 ${varDir}/var ${varDir}/data/db ${varDir}/assets/images
@@ -125,11 +125,11 @@ rec {
125 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction 125 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction
126 popd > /dev/null 126 popd > /dev/null
127 echo -n "${webappDir}" > ${varDir}/currentWebappDir 127 echo -n "${webappDir}" > ${varDir}/currentWebappDir
128 sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey 128 sha512sum ${config.secrets.fullPaths."webapps/tools-wallabag"} > ${varDir}/currentKey
129 fi 129 fi
130 ''; 130 '';
131 serviceDeps = [ "postgresql.service" "openldap.service" ]; 131 serviceDeps = [ "postgresql.service" "openldap.service" ];
132 basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; 132 basedir = builtins.concatStringsSep ":" [ webappDir config.secrets.fullPaths."webapps/tools-wallabag" varDir ];
133 pool = { 133 pool = {
134 "listen.owner" = apache.user; 134 "listen.owner" = apache.user;
135 "listen.group" = apache.group; 135 "listen.group" = apache.group;
diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix
index 885b68b..8ffb81b 100644
--- a/modules/private/websites/tools/tools/webhooks.nix
+++ b/modules/private/websites/tools/tools/webhooks.nix
@@ -6,5 +6,11 @@
6 group = "wwwrun"; 6 group = "wwwrun";
7 permissions = "0400"; 7 permissions = "0400";
8 text = v; 8 text = v;
9 }) env; 9 }) env ++ [{
10 dest = "webapps/webhooks";
11 isDir = true;
12 user = "wwwrun";
13 group = "wwwrun";
14 permissions = "0500";
15 }];
10} 16}
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix
index 77ac0a3..0f977f2 100644
--- a/modules/private/websites/tools/tools/yourls.nix
+++ b/modules/private/websites/tools/tools/yourls.nix
@@ -1,4 +1,4 @@
1{ env, yourls, yourls-plugins }: 1{ env, yourls, yourls-plugins, config }:
2rec { 2rec {
3 activationScript = { 3 activationScript = {
4 deps = [ "httpd" ]; 4 deps = [ "httpd" ];
@@ -40,7 +40,7 @@ rec {
40 define( 'LDAPAUTH_USERCACHE_TYPE', 0); 40 define( 'LDAPAUTH_USERCACHE_TYPE', 0);
41 ''; 41 '';
42 }]; 42 }];
43 webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); 43 webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]);
44 apache = rec { 44 apache = rec {
45 user = "wwwrun"; 45 user = "wwwrun";
46 group = "wwwrun"; 46 group = "wwwrun";
@@ -70,7 +70,7 @@ rec {
70 phpFpm = rec { 70 phpFpm = rec {
71 serviceDeps = [ "mysql.service" "openldap.service" ]; 71 serviceDeps = [ "mysql.service" "openldap.service" ];
72 basedir = builtins.concatStringsSep ":" ( 72 basedir = builtins.concatStringsSep ":" (
73 [ webRoot "/var/secrets/webapps/tools-yourls" ] 73 [ webRoot config.secrets.fullPaths."webapps/tools-yourls" ]
74 ++ webRoot.plugins); 74 ++ webRoot.plugins);
75 pool = { 75 pool = {
76 "listen.owner" = apache.user; 76 "listen.owner" = apache.user;
diff --git a/modules/secrets.nix b/modules/secrets.nix
deleted file mode 100644
index 86d276a..0000000
--- a/modules/secrets.nix
+++ /dev/null
@@ -1,113 +0,0 @@
1{ lib, pkgs, config, ... }:
2{
3 options.secrets = {
4 keys = lib.mkOption {
5 type = lib.types.listOf lib.types.unspecified;
6 default = [];
7 description = "Keys to upload to server";
8 };
9 gpgKeys = lib.mkOption {
10 type = lib.types.listOf lib.types.path;
11 default = [];
12 description = "GPG public keys files to encrypt to";
13 };
14 ageKeys = lib.mkOption {
15 type = lib.types.listOf lib.types.str;
16 default = [];
17 description = "AGE keys to encrypt to";
18 };
19 decryptKey = lib.mkOption {
20 type = lib.types.str;
21 default = "/etc/ssh/ssh_host_ed25519_key";
22 description = "ed25519 key used to decrypt with AGE";
23 };
24 location = lib.mkOption {
25 type = lib.types.path;
26 default = "/var/secrets";
27 description = "Location where to put the keys";
28 };
29 secretsVars = lib.mkOption {
30 type = lib.types.path;
31 default = "/run/keys/vars.yml";
32 description = "Location where the secrets variables are defined, to be used to fill the templates in secrets";
33 };
34 deleteSecretsVars = lib.mkOption {
35 type = lib.types.bool;
36 default = false;
37 description = "Delete secrets file after deployment";
38 };
39 # Read-only variables
40 fullPaths = lib.mkOption {
41 type = lib.types.attrsOf lib.types.path;
42 default = builtins.listToAttrs
43 (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
44 readOnly = true;
45 description = "set of full paths to secrets";
46 };
47 };
48
49 config = let
50 location = config.secrets.location;
51 keys = config.secrets.keys;
52 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
53 fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
54 dumpKey = v: ''
55 mkdir -p secrets/$(dirname ${v.dest})
56 echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
57 cat >> mods <<EOF
58 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
59 EOF
60 '';
61 secrets = pkgs.runCommand "secrets.tar.enc" {
62 buildInputs = [ pkgs.gnupg pkgs.sops ];
63 } ''
64 touch mods
65 tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
66 ${builtins.concatStringsSep "\n" (map dumpKey keys)}
67 cat mods | while read u g p k; do
68 tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
69 done
70 export HOME=$(pwd)
71 fingerprints=
72 for key in ${builtins.concatStringsSep " " config.secrets.gpgKeys}; do
73 gpg --import $key 2>/dev/null
74 fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1)
75 done
76
77 sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null
78 '';
79 in lib.mkIf (builtins.length keys > 0) {
80 system.activationScripts.secrets = {
81 deps = [ "users" "wrappers" ];
82 text = ''
83 install -m0750 -o root -g keys -d ${location}
84 TMP=$(${pkgs.coreutils}/bin/mktemp -d)
85 TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d)
86 chmod go-rwx $TMPWORK
87 if [ -n "$TMP" -a -n "$TMPWORK" ]; then
88 install -m0750 -o root -g keys -d $TMP
89 ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt
90 SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x
91 if [ -f ${config.secrets.secretsVars} ]; then
92 SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml
93 fi
94 if [ -f $TMPWORK/vars.yml ]; then
95 find $TMP -name "*.gucci.tpl" -exec \
96 /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \;
97 fi
98 find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
99 ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location}
100 rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars}
101 fi
102 '';
103 };
104
105 deployment.secrets."secret_vars.yml" = {
106 source = builtins.toString ../nixops/secrets/vars.yml;
107 destination = config.secrets.secretsVars;
108 owner.user = "root";
109 owner.group = "root";
110 permissions = "0400";
111 };
112 };
113}
diff --git a/nixops/secrets b/nixops/secrets
Subproject a1e6498139cc51a3d68e5655480542e6ccd3a45 Subproject 0b9f489a7e2e01208d4285c26348b4fa09607e1