From da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Wed, 13 Oct 2021 02:26:54 +0200
Subject: Move secrets to flakes

---
 modules/private/system/eldiron.nix                 |  2 +-
 modules/private/system/monitoring-1.nix            |  2 +-
 modules/private/system/quatresaisons.nix           | 12 ++++++------
 modules/private/system/quatresaisons/databases.nix |  6 +++---
 4 files changed, 11 insertions(+), 11 deletions(-)

(limited to 'modules/private/system')

diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index 6c570c8..0830f18 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -125,7 +125,7 @@
   services.netdata.config.health."enabled" = "no";
   services.netdata.config.web.mode = "none";
   users.users."${config.services.netdata.user}".extraGroups = [ "keys" ];
-  environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf";
+  environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
   secrets.keys = [
     {
       dest = "netdata-stream.conf";
diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix
index e335080..91d30fd 100644
--- a/modules/private/system/monitoring-1.nix
+++ b/modules/private/system/monitoring-1.nix
@@ -43,7 +43,7 @@
   services.netdata.config.web."allow netdata.conf from" = "fd*";
   services.netdata.config.web."allow management from" = "fd*";
   networking.firewall.allowedTCPPorts = [ 19999 ];
-  environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf";
+  environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf";
 
   secrets.keys = [
     {
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 0148650..491e215 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -53,7 +53,7 @@ let
       chmod go-rwx /var/lib/nixos/sponsored_users
       echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
       (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
-        -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+        -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
     dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
     objectClass: inetOrgPerson
     cn: $1
@@ -74,7 +74,7 @@ let
         userdel -r "$1"
         sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
         ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
         echo "deleted"
         exit 0
@@ -103,7 +103,7 @@ let
       if [ "$1" = "$mygroup" ]; then
         log "resets web password"
         ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           -S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
       else
         IFS=",";
@@ -111,7 +111,7 @@ let
         if [ "$u" = "$1" ]; then
           log "resets web password of $1"
           ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-            -y /var/secrets/ldap/sync_password \
+            -y ${config.secrets.fullPaths."ldap/sync_password"} \
             -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
           exit 0
         fi
@@ -221,10 +221,10 @@ in
     deps = [ "secrets" "users" ];
     text =
       let
-        com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+        com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
       in ''
       # Add users
-      ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+      ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
 
       # Remove obsolete users
       ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
index 8748058..68ce274 100644
--- a/modules/private/system/quatresaisons/databases.nix
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -2,7 +2,7 @@
 {
   config = let
     serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
-    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
+    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
   in {
     services.postgresql.enable = true;
     services.postgresql.package = pkgs.postgresql_12;
@@ -94,7 +94,7 @@
           by anonymous auth
           by * break
       '';
-      rootpwFile = "${config.secrets.location}/ldap/password";
+      rootpwFile = config.secrets.fullPaths."ldap/password";
       suffix = "dc=salle-s,dc=org";
       rootdn = "cn=root,dc=salle-s,dc=org";
       database = "hdb";
@@ -120,7 +120,7 @@
       group = "wwwrun";
       settings =
         let
-          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
+          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
         in {
           "listen.owner" = "wwwrun";
           "listen.group" = "wwwrun";
-- 
cgit v1.2.3