From 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 16 Oct 2021 17:40:07 +0200 Subject: Use attrs for secrets instead of lists --- modules/private/databases/mariadb.nix | 19 ++++++++--------- modules/private/databases/mariadb_replication.nix | 24 +++++++++------------- modules/private/databases/openldap/default.nix | 19 ++++++++--------- modules/private/databases/openldap_replication.nix | 14 ++++++------- modules/private/databases/postgresql.nix | 14 ++++++------- .../private/databases/postgresql_replication.nix | 19 ++++++++--------- modules/private/databases/redis.nix | 14 ++++++------- modules/private/databases/redis_replication.nix | 14 ++++++------- 8 files changed, 58 insertions(+), 79 deletions(-) (limited to 'modules/private/databases') diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 75ea747..101eb3f 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -121,9 +121,8 @@ in { ''; }; - secrets.keys = [ - { - dest = "mysql/mysqldump"; + secrets.keys = { + "mysql/mysqldump" = { permissions = "0400"; user = "root"; group = "root"; @@ -132,9 +131,8 @@ in { user = root password = ${cfg.credentials.root} ''; - } - { - dest = "mysql/pam"; + }; + "mysql/pam" = { permissions = "0400"; user = "mysql"; group = "mysql"; @@ -146,9 +144,8 @@ in { pam_filter ${filter} ssl start_tls ''; - } - { - dest = "mysql/pam_replication"; + }; + "mysql/pam_replication" = { permissions = "0400"; user = "mysql"; group = "mysql"; @@ -160,8 +157,8 @@ in { pam_login_attribute cn ssl start_tls ''; - } - ]; + }; + }; security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix index e857c41..68e6f7f 100644 --- a/modules/private/databases/mariadb_replication.nix +++ b/modules/private/databases/mariadb_replication.nix @@ -81,9 +81,8 @@ in }; users.groups.mysql.gid = config.ids.gids.mysql; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "mysql_replication/${name}/slave_init_commands"; + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ + (lib.nameValuePair "mysql_replication/${name}/slave_init_commands" { user = "mysql"; group = "mysql"; permissions = "0400"; @@ -91,9 +90,8 @@ in CHANGE MASTER TO master_host="${hcfg.host}", master_port=${hcfg.port}, master_user="${hcfg.user}", master_password="${hcfg.password}", master_ssl=1, master_use_gtid=slave_pos; START SLAVE; ''; - } - { - dest = "mysql_replication/${name}/mysqldump_remote"; + }) + (lib.nameValuePair "mysql_replication/${name}/mysqldump_remote" { permissions = "0400"; user = "root"; group = "root"; @@ -102,9 +100,8 @@ in user = ${hcfg.user} password = ${hcfg.password} ''; - } - { - dest = "mysql_replication/${name}/mysqldump"; + }) + (lib.nameValuePair "mysql_replication/${name}/mysqldump" { permissions = "0400"; user = "root"; group = "root"; @@ -113,9 +110,8 @@ in user = ${hcfg.dumpUser} password = ${hcfg.dumpPassword} ''; - } - { - dest = "mysql_replication/${name}/client"; + }) + (lib.nameValuePair "mysql_replication/${name}/client" { permissions = "0400"; user = "mysql"; group = "mysql"; @@ -124,8 +120,8 @@ in user = ${hcfg.dumpUser} password = ${hcfg.dumpPassword} ''; - } - ]) cfg.hosts); + }) + ]) cfg.hosts)); services.cron = { enable = true; diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index f4851b5..d35aca0 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -85,29 +85,26 @@ in }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "ldap/password"; + secrets.keys = { + "ldap/password" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = "rootpw ${cfg.rootPw}"; - } - { - dest = "ldap/access"; + }; + "ldap/access" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = builtins.readFile cfg.accessFile; - } - { - dest = "ldap"; + }; + "ldap" = { permissions = "0500"; user = "openldap"; group = "openldap"; isDir = true; - } - ]; + }; + }; users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 350eecf..b456323 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix @@ -87,9 +87,8 @@ in }; users.groups.openldap.gid = config.ids.gids.openldap; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "openldap_replication/${name}/replication_config"; + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ + (lib.nameValuePair "openldap_replication/${name}/replication_config" { user = "openldap"; group = "openldap"; permissions = "0400"; @@ -105,15 +104,14 @@ in binddn="${hcfg.dn}" credentials="${hcfg.password}" ''; - } - { - dest = "openldap_replication/${name}/replication_password"; + }) + (lib.nameValuePair "openldap_replication/${name}/replication_password" { user = "openldap"; group = "openldap"; permissions = "0400"; text = hcfg.password; - } - ]) cfg.hosts); + }) + ]) cfg.hosts)); services.cron = { enable = true; diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index e73bf69..a6c4cc9 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -178,9 +178,8 @@ in { ''; }; - secrets.keys = [ - { - dest = "postgresql/pam"; + secrets.keys = { + "postgresql/pam" = { permissions = "0400"; group = "postgres"; user = "postgres"; @@ -192,9 +191,8 @@ in { pam_filter ${filter} ssl start_tls ''; - } - { - dest = "postgresql/pam_replication"; + }; + "postgresql/pam_replication" = { permissions = "0400"; group = "postgres"; user = "postgres"; @@ -206,8 +204,8 @@ in { pam_login_attribute cn ssl start_tls ''; - } - ]; + }; + }; security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; diff --git a/modules/private/databases/postgresql_replication.nix b/modules/private/databases/postgresql_replication.nix index b103b8c..135bbed 100644 --- a/modules/private/databases/postgresql_replication.nix +++ b/modules/private/databases/postgresql_replication.nix @@ -62,9 +62,8 @@ in users.groups.postgres.gid = config.ids.gids.postgres; environment.systemPackages = [ cfg.mainPackage ]; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "postgresql_replication/${name}/recovery.conf"; + secrets.keys = lib.listToAttrs (lib.flatten (lib.mapAttrsToList (name: hcfg: [ + (lib.nameValuePair "postgresql_replication/${name}/recovery.conf" { user = "postgres"; group = "postgres"; permissions = "0400"; @@ -73,16 +72,14 @@ in primary_conninfo = '${hcfg.connection}?sslmode=require' primary_slot_name = '${hcfg.slot}' ''; - } - { - dest = "postgresql_replication/${name}/connection_string"; + }) + (lib.nameValuePair "postgresql_replication/${name}/connection_string" { user = "postgres"; group = "postgres"; permissions = "0400"; text = hcfg.connection; - } - { - dest = "postgresql_replication/${name}/postgresql.conf"; + }) + (lib.nameValuePair "postgresql_replication/${name}/postgresql.conf" { user = "postgres"; group = "postgres"; permissions = "0400"; @@ -94,8 +91,8 @@ in data_directory = '${dataDir}' wal_level = logical ''; - } - ]) cfg.hosts); + }) + ]) cfg.hosts)); services.cron = { enable = true; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 5c5b8b0..685fa46 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -74,9 +74,8 @@ in { }; networking.firewall.allowedTCPPorts = [ 7617 16379 ]; - secrets.keys = [ - { - dest = "redis/predixy.conf"; + secrets.keys = { + "redis/predixy.conf" = { user = "redis"; group = "redis"; permissions = "0400"; @@ -100,15 +99,14 @@ in { } } ''; - } - { - dest = "redis/spiped_keyfile"; + }; + "redis/spiped_keyfile" = { user = "spiped"; group = "spiped"; permissions = "0400"; text = config.myEnv.databases.redis.spiped_key; - } - ]; + }; + }; systemd.slices.redis = { description = "Redis slice"; diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix index 3caa7e9..9e48939 100644 --- a/modules/private/databases/redis_replication.nix +++ b/modules/private/databases/redis_replication.nix @@ -68,9 +68,8 @@ in }; }; - secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ - { - dest = "redis_replication/${name}/config"; + secrets.keys = lib.mapAttrs' (name: hcfg: + lib.nameValuePair "redis_replication/${name}/config" { user = "redis"; group = "redis"; permissions = "0400"; @@ -97,15 +96,14 @@ in maxclients 1024 ''; } - ]) cfg.hosts) ++ [ - { # For eldiron only - dest = "redis/spiped_eldiron_keyfile"; + ) cfg.hosts // { + "redis/spiped_eldiron_keyfile" = { # For eldiron only user = "spiped"; group = "spiped"; permissions = "0400"; text = config.myEnv.databases.redis.spiped_key; - } - ]; + }; + }; services.cron = { enable = true; -- cgit v1.2.3