From 4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 16 Oct 2021 17:40:07 +0200 Subject: Use attrs for secrets instead of lists --- modules/private/websites/tools/cloud/default.nix | 5 ++--- .../private/websites/tools/commento/default.nix | 11 +++++----- modules/private/websites/tools/dav/davical.nix | 5 ++--- .../private/websites/tools/diaspora/default.nix | 24 +++++++++------------- modules/private/websites/tools/ether/default.nix | 19 ++++++++--------- modules/private/websites/tools/git/mantisbt.nix | 5 ++--- .../private/websites/tools/mail/roundcubemail.nix | 5 ++--- .../private/websites/tools/mastodon/default.nix | 5 ++--- modules/private/websites/tools/mgoblin/default.nix | 5 ++--- .../private/websites/tools/peertube/default.nix | 5 ++--- .../private/websites/tools/performance/default.nix | 9 ++++---- modules/private/websites/tools/stats/default.nix | 9 ++++---- .../private/websites/tools/tools/csp_reports.nix | 5 ++--- modules/private/websites/tools/tools/default.nix | 16 +++++++-------- .../private/websites/tools/tools/dmarc_reports.nix | 5 ++--- modules/private/websites/tools/tools/kanboard.nix | 5 ++--- modules/private/websites/tools/tools/ldap.nix | 5 ++--- modules/private/websites/tools/tools/shaarli.nix | 5 ++--- modules/private/websites/tools/tools/ttrss.nix | 5 ++--- modules/private/websites/tools/tools/wallabag.nix | 5 ++--- modules/private/websites/tools/tools/webhooks.nix | 19 +++++++++-------- modules/private/websites/tools/tools/yourls.nix | 5 ++--- 22 files changed, 79 insertions(+), 103 deletions(-) (limited to 'modules/private/websites/tools') diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index 471858a..fc0aae6 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix @@ -73,8 +73,7 @@ in { ]; }; - secrets.keys = [{ - dest = "webapps/tools-nextcloud"; + secrets.keys."webapps/tools-nextcloud" = { user = "wwwrun"; group = "wwwrun"; permissions = "0600"; @@ -133,7 +132,7 @@ in { 'has_rebuilt_cache' => true, ); ''; - }]; + }; users.users.root.packages = let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} diff --git a/modules/private/websites/tools/commento/default.nix b/modules/private/websites/tools/commento/default.nix index d0e7d24..c36255b 100644 --- a/modules/private/websites/tools/commento/default.nix +++ b/modules/private/websites/tools/commento/default.nix @@ -12,10 +12,9 @@ in enable = lib.mkEnableOption "Enable commento website"; }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "commento/env"; - permission = "0400"; + secrets.keys = { + "commento/env" = { + permissions = "0400"; text = '' COMMENTO_ORIGIN=https://commento.immae.eu/ COMMENTO_PORT=${port} @@ -29,8 +28,8 @@ in COMMENTO_SMTP_PASSWORD=${env.smtp.password} COMMENTO_SMTP_FROM_ADDRESS=${env.smtp.email} ''; - } - ]; + }; + }; services.websites.env.tools.vhostConfs.commento = { certName = "eldiron"; diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index eeac1b5..9e4056a 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical ''; }; - keys = [{ - dest = "webapps/dav-davical"; + keys."webapps/dav-davical" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -64,7 +63,7 @@ rec { $c->do_not_sync_from_ldap = array('admin' => true); include('drivers_ldap.php'); ''; - }]; + }; webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; }; webRoot = "${webapp}/htdocs"; apache = rec { diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 663fe88..9119ead 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix @@ -16,16 +16,14 @@ in { }; users.users.diaspora.extraGroups = [ "keys" ]; - secrets.keys = [ - { - dest = "webapps/diaspora"; + secrets.keys = { + "webapps/diaspora" = { isDir = true; user = "diaspora"; group = "diaspora"; permissions = "0500"; - } - { - dest = "webapps/diaspora/diaspora.yml"; + }; + "webapps/diaspora/diaspora.yml" = { user = "diaspora"; group = "diaspora"; permissions = "0400"; @@ -102,9 +100,8 @@ in { development: environment: ''; - } - { - dest = "webapps/diaspora/database.yml"; + }; + "webapps/diaspora/database.yml" = { user = "diaspora"; group = "diaspora"; permissions = "0400"; @@ -136,17 +133,16 @@ in { <<: *combined database: diaspora_integration2 ''; - } - { - dest = "webapps/diaspora/secret_token.rb"; + }; + "webapps/diaspora/secret_token.rb" = { user = "diaspora"; group = "diaspora"; permissions = "0400"; text = '' Diaspora::Application.config.secret_key_base = '${env.secret_token}' ''; - } - ]; + }; + }; services.diaspora = { enable = true; diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index 64e411d..d5c65a9 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix @@ -15,19 +15,16 @@ in { services.duplyBackup.profiles.etherpad-lite = { rootDir = "/var/lib/private/etherpad-lite"; }; - secrets.keys = [ - { - dest = "webapps/tools-etherpad-apikey"; + secrets.keys = { + "webapps/tools-etherpad-apikey" = { permissions = "0400"; text = env.api_key; - } - { - dest = "webapps/tools-etherpad-sessionkey"; + }; + "webapps/tools-etherpad-sessionkey" = { permissions = "0400"; text = env.session_key; - } - { - dest = "webapps/tools-etherpad"; + }; + "webapps/tools-etherpad" = { permissions = "0400"; text = '' { @@ -152,8 +149,8 @@ in { "logconfig" : { "appenders": [ { "type": "console" } ] } } ''; - } - ]; + }; + }; services.etherpad-lite = { enable = true; package = pkgs.webapps.etherpad-lite.withModules (p: [ diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index e6a8da7..033a651 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt ''; }; - keys = [{ - dest = "webapps/tools-mantisbt"; + keys."webapps/tools-mantisbt" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -45,7 +44,7 @@ rec { $g_ldap_realname_field = 'cn'; $g_ldap_organization = '${env.ldap.filter}'; ''; - }]; + }; webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 7d8e733..92de28e 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix @@ -9,8 +9,7 @@ rec { install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions ''; }; - keys = [{ - dest = "webapps/tools-roundcube"; + keys."webapps/tools-roundcube" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -74,7 +73,7 @@ rec { $config['temp_dir'] = '${varDir}/cache'; $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; ''; - }]; + }; webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index cea8710..87e8d72 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix @@ -13,8 +13,7 @@ in { services.duplyBackup.profiles.mastodon = { rootDir = mcfg.dataDir; }; - secrets.keys = [{ - dest = "webapps/tools-mastodon"; + secrets.keys."webapps/tools-mastodon" = { user = "mastodon"; group = "mastodon"; permissions = "0400"; @@ -59,7 +58,7 @@ in { LDAP_UID="uid" LDAP_SEARCH_FILTER="${env.ldap.filter}" ''; - }]; + }; services.mastodon = { enable = true; configFile = config.secrets.fullPaths."webapps/tools-mastodon"; diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index 6d6a5a4..f6cba4a 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix @@ -12,8 +12,7 @@ in { services.duplyBackup.profiles.mgoblin = { rootDir = mcfg.dataDir; }; - secrets.keys = [{ - dest = "webapps/tools-mediagoblin"; + secrets.keys."webapps/tools-mediagoblin" = { user = "mediagoblin"; group = "mediagoblin"; permissions = "0400"; @@ -77,7 +76,7 @@ in { [[mediagoblin.media_types.image]] [[mediagoblin.media_types.video]] ''; - }]; + }; users.users.mediagoblin.extraGroups = [ "keys" ]; diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index 7dcc998..daeeb1f 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix @@ -18,8 +18,7 @@ in { }; users.users.peertube.extraGroups = [ "keys" ]; - secrets.keys = [{ - dest = "webapps/tools-peertube"; + secrets.keys."webapps/tools-peertube" = { user = "peertube"; group = "peertube"; permissions = "0640"; @@ -62,7 +61,7 @@ in { plugins: '${pcfg.dataDir}/storage/plugins/' client_overrides: '${pcfg.dataDir}/storage/client-overrides/' ''; - }]; + }; services.websites.env.tools.modules = [ "headers" "proxy" "proxy_http" "proxy_wstunnel" diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix index 5afd639..5715ff0 100644 --- a/modules/private/websites/tools/performance/default.nix +++ b/modules/private/websites/tools/performance/default.nix @@ -11,9 +11,8 @@ in }; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "status_engine_ui"; + secrets.keys = { + status_engine_ui = { permissions = "0400"; user = "wwwrun"; group = "wwwrun"; @@ -44,8 +43,8 @@ in display_perfdata: 1 perfdata_backend: mysql ''; - } - ]; + }; + }; services.websites.env.tools.modules = [ "proxy_fcgi" ]; diff --git a/modules/private/websites/tools/stats/default.nix b/modules/private/websites/tools/stats/default.nix index 5f184bc..71e31a3 100644 --- a/modules/private/websites/tools/stats/default.nix +++ b/modules/private/websites/tools/stats/default.nix @@ -6,9 +6,8 @@ in { options.myServices.websites.tools.stats.enable = lib.mkEnableOption "Enable stats site"; config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "umami/env"; + secrets.keys = { + "uami/env" = { permission = "0400"; text = '' PORT=${toString myCfg.listenPort} @@ -16,8 +15,8 @@ in DATABASE_URL=postgresql://${myCfg.postgresql.user}:${myCfg.postgresql.password}@localhost:${myCfg.postgresql.port}/${myCfg.postgresql.database}?sslmode=disable&host=${myCfg.postgresql.socket} HASH_SALT=${myCfg.hashSalt} ''; - } - ]; + }; + }; services.websites.env.tools.vhostConfs.stats = { certName = "eldiron"; diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix index 4660251..9b3f0cf 100644 --- a/modules/private/websites/tools/tools/csp_reports.nix +++ b/modules/private/websites/tools/tools/csp_reports.nix @@ -1,12 +1,11 @@ { env }: rec { - keys = [{ - dest = "webapps/tools-csp-reports.conf"; + keys."webapps/tools-csp-reports.conf" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; text = with env.postgresql; '' env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}" ''; - }]; + }; } diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index ada6253..1f499fb 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -83,14 +83,14 @@ in { config = lib.mkIf cfg.enable { secrets.keys = kanboard.keys - ++ ldap.keys - ++ shaarli.keys - ++ ttrss.keys - ++ wallabag.keys - ++ yourls.keys - ++ dmarc-reports.keys - ++ csp-reports.keys - ++ webhooks.keys; + // ldap.keys + // shaarli.keys + // ttrss.keys + // wallabag.keys + // yourls.keys + // dmarc-reports.keys + // csp-reports.keys + // webhooks.keys; services.duplyBackup.profiles = { dokuwiki = dokuwiki.backups; diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix index 5fdf0b6..89da246 100644 --- a/modules/private/websites/tools/tools/dmarc_reports.nix +++ b/modules/private/websites/tools/tools/dmarc_reports.nix @@ -1,7 +1,6 @@ { env, config }: rec { - keys = [{ - dest = "webapps/tools-dmarc-reports.php"; + keys."webapps/tools-dmarc-reports.php" = { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -15,7 +14,7 @@ rec { $anonymous_key = "${env.anonymous_key}"; ?> ''; - }]; + }; webRoot = ./dmarc_reports; apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 1a70499..b2e7b65 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -13,8 +13,7 @@ rec { install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config ''; }; - keys = [{ - dest = "webapps/tools-kanboard"; + keys."webapps/tools-kanboard" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -41,7 +40,7 @@ rec { define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}'); ?> ''; - }]; + }; webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; }; apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index cb90edc..14920f4 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin ''; }; - keys = [{ - dest = "webapps/tools-ldap"; + keys."webapps/tools-ldap" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -31,7 +30,7 @@ rec { $servers->setValue('login','attr','uid'); $servers->setValue('login','fallback_dn',true); ''; - }]; + }; webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; apache = rec { user = "wwwrun"; diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 80c6a89..b7126cc 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -38,8 +38,7 @@ in rec { ''; }; - keys = [{ - dest = "webapps/tools-shaarli"; + keys."webapps/tools-shaarli" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -50,7 +49,7 @@ in rec { SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" SetEnv SHAARLI_LDAP_FILTER "${env.ldap.filter}" ''; - }]; + }; phpFpm = rec { serviceDeps = [ "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index eb1d415..f6abae9 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -19,8 +19,7 @@ rec { install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions ''; }; - keys = [{ - dest = "webapps/tools-ttrss"; + keys."webapps/tools-ttrss" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -87,7 +86,7 @@ rec { define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); define('LDAP_AUTH_DEBUG', FALSE); ''; - }]; + }; webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [ p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua (p.af_feedmod.override { patched = true; }) diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 1a604c7..b6ad151 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -5,8 +5,7 @@ rec { remotes = [ "eriomem" "ovh" ]; }; varDir = "/var/lib/wallabag"; - keys = [{ - dest = "webapps/tools-wallabag"; + keys."webapps/tools-wallabag" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -68,7 +67,7 @@ rec { class: Swift_SendmailTransport arguments: ['/run/wrappers/bin/sendmail -bs'] ''; - }]; + }; webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; }; activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix index 8ffb81b..785e22b 100644 --- a/modules/private/websites/tools/tools/webhooks.nix +++ b/modules/private/websites/tools/tools/webhooks.nix @@ -1,16 +1,17 @@ { lib, env }: { - keys = lib.attrsets.mapAttrsToList (k: v: { - dest = "webapps/webhooks/${k}.php"; + keys = lib.attrsets.mapAttrs' (k: v: + lib.nameValuePair "webapps/webhooks/${k}.php" { user = "wwwrun"; group = "wwwrun"; permissions = "0400"; text = v; - }) env ++ [{ - dest = "webapps/webhooks"; - isDir = true; - user = "wwwrun"; - group = "wwwrun"; - permissions = "0500"; - }]; + }) env // { + "webapps/webhooks" = { + isDir = true; + user = "wwwrun"; + group = "wwwrun"; + permissions = "0500"; + }; + }; } diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 0f977f2..01ef548 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix @@ -6,8 +6,7 @@ rec { install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls ''; }; - keys = [{ - dest = "webapps/tools-yourls"; + keys."webapps/tools-yourls" = { user = apache.user; group = apache.group; permissions = "0400"; @@ -39,7 +38,7 @@ rec { define( 'LDAPAUTH_USERCACHE_TYPE', 0); ''; - }]; + }; webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); apache = rec { user = "wwwrun"; -- cgit v1.2.3