From 258dd18bac4bf5dd03cf1098ffa35cb954f9e015 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 5 Apr 2020 15:57:20 +0200 Subject: Upgrade to nixos-unstable --- modules/private/certificates.nix | 12 ++++---- modules/private/databases/mariadb.nix | 39 +++++++++++++------------- modules/private/databases/openldap/default.nix | 1 - modules/private/databases/postgresql.nix | 15 ++++------ modules/private/ftp.nix | 17 +++++------ modules/private/monitoring/status.nix | 6 +++- modules/private/system.nix | 21 ++++---------- modules/private/system/backup-2.nix | 6 +++- modules/private/system/dilion.nix | 4 +-- modules/private/tasks/default.nix | 1 - 10 files changed, 54 insertions(+), 68 deletions(-) (limited to 'modules/private') diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2bf2730..82ff52f 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -12,7 +12,6 @@ (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") ]; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; }; description = "Default configuration for certificates"; }; @@ -30,6 +29,7 @@ myServices.databasesCerts = config.myServices.certificates.certConfig; myServices.ircCerts = config.myServices.certificates.certConfig; + security.acme.acceptTerms = true; security.acme.preliminarySelfsigned = true; security.acme.certs = { @@ -39,18 +39,16 @@ }; systemd.services = lib.attrsets.mapAttrs' (k: v: - lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = - (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' + lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem - '') + - (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' + cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem - '') - ; }) + ''; + } ) config.security.acme.certs // lib.attrsets.mapAttrs' (k: data: lib.attrsets.nameValuePair "acme-${k}" { diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 04e4bd6..36edaeb 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -94,26 +94,27 @@ in { enable = true; package = cfg.package; dataDir = cfg.dataDir; - extraOptions = '' - ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem - ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem + settings = { + mysqld = { + ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem"; + ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem"; - # for replication - log-bin=mariadb-bin - server-id=1 + # for replication + log-bin = "mariadb-bin"; + server-id = "1"; - # this introduces a small delay before storing on disk, but - # makes it order of magnitudes quicker - innodb_flush_log_at_trx_commit = 0 - ''; + # this introduces a small delay before storing on disk, but + # makes it order of magnitudes quicker + innodb_flush_log_at_trx_commit = "0"; + }; + }; }; users.users.mysql.extraGroups = [ "keys" ]; security.acme.certs."mysql" = config.myServices.databasesCerts // { user = "mysql"; group = "mysql"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; domain = "db-1.immae.eu"; postRun = '' systemctl restart mysql.service @@ -164,23 +165,21 @@ in { security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - in [ - { - name = "mysql"; + in { + mysql = { text = '' # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam account required ${pam_ldap} config=${config.secrets.location}/mysql/pam ''; - } - { - name = "mysql_replication"; + }; + mysql_replication = { text = '' auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication ''; - } - ]; + }; + }; }; } diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index efe9379..302aa04 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -107,7 +107,6 @@ in security.acme.certs."ldap" = config.myServices.databasesCerts // { user = "openldap"; group = "openldap"; - plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; domain = "ldap.immae.eu"; postRun = '' systemctl restart openldap.service diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index d0b1a75..c442a63 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -100,7 +100,6 @@ in { security.acme.certs."postgresql" = config.myServices.databasesCerts // { user = "postgres"; group = "postgres"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; domain = "db-1.immae.eu"; postRun = '' systemctl reload postgresql.service @@ -212,22 +211,20 @@ in { security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - in [ - { - name = "postgresql"; + in { + postgresql = { text = '' auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam ''; - } - { - name = "postgresql_replication"; + }; + postgresql_replication = { text = '' auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication ''; - } - ]; + }; + }; }; } diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 417af87..8ae4e65 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix @@ -32,16 +32,13 @@ in }; }; - users.users = [ - { - name = "ftp"; - uid = config.ids.uids.ftp; # 8 - group = "ftp"; - description = "Anonymous FTP user"; - home = "/homeless-shelter"; - extraGroups = [ "keys" ]; - } - ]; + users.users.ftp = { + uid = config.ids.uids.ftp; # 8 + group = "ftp"; + description = "Anonymous FTP user"; + home = "/homeless-shelter"; + extraGroups = [ "keys" ]; + }; users.groups.ftp.gid = config.ids.gids.ftp; diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index d25d934..7810a1f 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix @@ -34,7 +34,11 @@ locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; }; }; - security.acme.certs."${name}".extraDomains."status.immae.eu" = null; + security.acme.certs."${name}" = { + extraDomains."status.immae.eu" = null; + user = config.services.nginx.user; + group = config.services.nginx.group; + }; myServices.certificates.enable = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/private/system.nix b/modules/private/system.nix index 64fc2d9..70b74d0 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -65,21 +65,10 @@ users.mutableUsers = false; environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; - environment.systemPackages = - let - home-manager = builtins.fetchGit { - url = "https://github.com/rycee/home-manager.git"; - rev = "ef64bc598f28818d56c86629dad98b468af9c071"; - ref = "release-19.03"; - }; - in - [ - pkgs.git - pkgs.vim - ] ++ - (lib.optional - (builtins.length (config.hostEnv.users pkgs) > 0) - ((pkgs.callPackage home-manager {}).home-manager) - ); + environment.systemPackages = [ + pkgs.git + pkgs.vim + ] ++ + (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); }; } diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 4e24c12..6829f1b 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -1,5 +1,5 @@ { privateFiles }: -{ config, pkgs, resources, ... }: +{ config, pkgs, resources, name, ... }: { boot.kernelPackages = pkgs.linuxPackages_latest; myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; @@ -35,6 +35,10 @@ }; myServices.certificates.enable = true; + security.acme.certs."${name}" = { + user = config.services.nginx.user; + group = config.services.nginx.group; + }; services.nginx = { enable = true; recommendedOptimisation = true; diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix index 788c2dc..911c76d 100644 --- a/modules/private/system/dilion.nix +++ b/modules/private/system/dilion.nix @@ -101,8 +101,8 @@ # This is equivalent to setting environment.sessionVariables.NIX_PATH nix.nixPath = [ - "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz" - "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz" + "home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz" + "nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz" ]; nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 42cc8d2..43d40d6 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -197,7 +197,6 @@ in { security.acme.certs."task" = config.myServices.certificates.certConfig // { inherit user group; - plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; domain = fqdn; postRun = '' systemctl restart taskserver.service -- cgit v1.2.3