From 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 16 Oct 2021 17:40:07 +0200 Subject: Use attrs for secrets instead of lists --- modules/private/system/backup-2.nix | 14 ++++++-------- modules/private/system/eldiron.nix | 14 ++++++-------- modules/private/system/monitoring-1.nix | 9 ++++----- modules/private/system/quatresaisons.nix | 14 ++++++-------- modules/private/system/quatresaisons/databases.nix | 14 ++++++-------- 5 files changed, 28 insertions(+), 37 deletions(-) (limited to 'modules/private/system') diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 181f455..c01a666 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -7,22 +7,20 @@ }; # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; - secrets.keys = [ - { - dest = "rsync_backup/identity"; + secrets.keys = { + "rsync_backup/identity" = { user = "backup"; group = "backup"; permissions = "0400"; text = config.myEnv.rsync_backup.ssh_key.private; - } - { - dest = "rsync_backup/identity.pub"; + }; + "rsync_backup/identity.pub" = { user = "backup"; group = "backup"; permissions = "0444"; text = config.myEnv.rsync_backup.ssh_key.public; - } - ]; + }; + }; boot.kernelPackages = pkgs.linuxPackages_latest; myEnv = import ../../../nixops/secrets/environment.nix; diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 0830f18..2c339a5 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -126,9 +126,8 @@ services.netdata.config.web.mode = "none"; users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; - secrets.keys = [ - { - dest = "netdata-stream.conf"; + secrets.keys = { + "netdata-stream.conf" = { user = config.services.netdata.user; group = config.services.netdata.group; permissions = "0400"; @@ -138,15 +137,14 @@ destination = ${config.myEnv.monitoring.netdata_aggregator} api key = ${config.myEnv.monitoring.netdata_keys.eldiron} ''; - } - { - dest = "zrepl_backup/identity"; + }; + "zrepl_backup/identity" = { user = "root"; group = "root"; permissions = "0400"; text = config.myEnv.zrepl_backup.ssh_key.private; - } - ]; + }; + }; programs.ssh.knownHosts.dilion = { hostNames = ["dilion.immae.eu"]; publicKey = let diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index 91d30fd..dea5f45 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix @@ -45,9 +45,8 @@ networking.firewall.allowedTCPPorts = [ 19999 ]; environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; - secrets.keys = [ - { - dest = "netdata-stream.conf"; + secrets.keys = { + "netdata-stream.conf" = { user = config.services.netdata.user; group = config.services.netdata.group; permissions = "0400"; @@ -58,8 +57,8 @@ default memory = ram health enabled by default = auto '') config.myEnv.monitoring.netdata_keys); - } - ]; + }; + }; users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; # This value determines the NixOS release with which your system is # to be compatible, in order to avoid breaking some software such as diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 491e215..82db70f 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix @@ -254,14 +254,12 @@ in ''; }; - secrets.keys = [ - { - dest = "ldap/sync_password"; + secrets.keys = { + "ldap/sync_password" = { permissions = "0400"; text = serverSpecificConfig.ldap_sync_password; - } - { - dest = "ldap/ldaptree.ldif"; + }; + "ldap/ldaptree.ldif" = { permissions = "0400"; text = serverSpecificConfig.ldap_service_users + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' @@ -272,8 +270,8 @@ in sn: ${n} uid: ${n} '') normalUsers)); - } - ]; + }; + }; myServices.monitoring.enable = true; myServices.certificates.enable = true; diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 68ce274..f7b27e0 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix @@ -9,16 +9,14 @@ services.postgresql.ensureUsers = [ { name = "naemon"; } ]; - secrets.keys = [ - { - dest = "ldap/password"; + secrets.keys = { + "ldap/password" = { permissions = "0400"; user = "openldap"; group = "openldap"; text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; - } - { - dest = "webapps/tools-ldap"; + }; + "webapps/tools-ldap" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -42,8 +40,8 @@ $servers->setValue('login','attr','uid'); $servers->setValue('login','fallback_dn',true); ''; - } - ]; + }; + }; users.users.openldap.extraGroups = [ "keys" ]; services.openldap = { -- cgit v1.2.3