From 5622bc37480b2a93768baecfa3a814c43c880b13 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Mon, 2 Oct 2023 22:48:18 +0200 Subject: [PATCH] feat(dgn-secrets): Add a matches option This option allows specifying regexes tied to options. When a secret matches a pattern, the the options are applied to it. --- machines/compute01/ds-fr/default.nix | 18 ++---- machines/compute01/mastodon.nix | 12 +--- machines/compute01/nextcloud.nix | 12 +--- machines/compute01/outline.nix | 12 +--- machines/compute01/satosa/default.nix | 12 +--- machines/compute01/zammad.nix | 2 +- machines/storage01/forgejo.nix | 14 +---- machines/storage01/peertube.nix | 13 +---- modules/dgn-secrets.nix | 83 +++++++++++++++------------ 9 files changed, 71 insertions(+), 107 deletions(-) diff --git a/machines/compute01/ds-fr/default.nix b/machines/compute01/ds-fr/default.nix index 062e156..89450cd 100644 --- a/machines/compute01/ds-fr/default.nix +++ b/machines/compute01/ds-fr/default.nix @@ -1,9 +1,6 @@ -{ config, lib, dgn-lib, ... }: +{ config, ... }: -let - inherit (dgn-lib) setDefault; - - host = "demarches.dgnum.eu"; +let host = "demarches.dgnum.eu"; in { imports = [ ./module.nix ]; @@ -28,7 +25,8 @@ in { S3_REGION = "garage"; S3_FORCE_PATH_STYLE = "true"; S3_ACCESS_KEY_ID = "GK4d244118eac2336ae0ab2dd9"; - S3_SECRET_ACCESS_KEY = "61100261fb0a0c861371596f9ffcd1e83134301a6d0c665a077135af04ba18c3"; + S3_SECRET_ACCESS_KEY = + "61100261fb0a0c861371596f9ffcd1e83134301a6d0c665a077135af04ba18c3"; # SAML_IDP_ENABLED = "enabled"; @@ -51,8 +49,7 @@ in { CONTACT_EMAIL = "demarches@infra.dgnum.eu"; EQUIPE_EMAIL = "equipe@infra.dgnum.eu"; TECH_EMAIL = "tech@infra.dgnum.eu"; - NO_REPLY_EMAIL = - ''"Ne pas répondre "''; + NO_REPLY_EMAIL = ''"Ne pas répondre "''; OLD_CONTACT_EMAIL = ""; CONTACT_PHONE = ""; @@ -63,10 +60,7 @@ in { }; }; - dgn-secrets.options = [ - (setDefault { owner = "ds-fr"; } - (builtins.filter (lib.hasPrefix "ds_fr") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; }; users.users.ds-fr.extraGroups = [ "sendmail" ]; } diff --git a/machines/compute01/mastodon.nix b/machines/compute01/mastodon.nix index dc34407..4a30e80 100644 --- a/machines/compute01/mastodon.nix +++ b/machines/compute01/mastodon.nix @@ -1,9 +1,6 @@ -{ config, lib, dgn-lib, ... }: +{ config, ... }: -let - inherit (dgn-lib) setDefault; - - host = "social.dgnum.eu"; +let host = "social.dgnum.eu"; in { services.mastodon = { enable = true; @@ -39,8 +36,5 @@ in { extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ]; }; - dgn-secrets.options = [ - (setDefault { owner = "mastodon"; } - (builtins.filter (lib.hasPrefix "mastodon-") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; }; } diff --git a/machines/compute01/nextcloud.nix b/machines/compute01/nextcloud.nix index f438b78..de78dc1 100644 --- a/machines/compute01/nextcloud.nix +++ b/machines/compute01/nextcloud.nix @@ -1,9 +1,6 @@ -{ config, lib, pkgs, dgn-lib, ... }: +{ config, pkgs, ... }: -let - inherit (dgn-lib) setDefault; - - host = "cloud.dgnum.eu"; +let host = "cloud.dgnum.eu"; in { services.nextcloud = { enable = true; @@ -71,8 +68,5 @@ in { exif ]; - dgn-secrets.options = [ - (setDefault { owner = "nextcloud"; } - (builtins.filter (lib.hasPrefix "nextcloud-") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; }; } diff --git a/machines/compute01/outline.nix b/machines/compute01/outline.nix index 68423c9..ef8ce6c 100644 --- a/machines/compute01/outline.nix +++ b/machines/compute01/outline.nix @@ -1,9 +1,6 @@ -{ config, lib, dgn-lib, ... }: +{ config, ... }: -let - inherit (dgn-lib) setDefault; - - host = "docs.dgnum.eu"; +let host = "docs.dgnum.eu"; in { services.outline = { enable = true; @@ -57,8 +54,5 @@ in { }; }; - dgn-secrets.options = [ - (setDefault { owner = "outline"; } - (builtins.filter (lib.hasPrefix "outline-") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^outline-.*$" = { owner = "outline"; }; } diff --git a/machines/compute01/satosa/default.nix b/machines/compute01/satosa/default.nix index 3757e67..f1e3f17 100644 --- a/machines/compute01/satosa/default.nix +++ b/machines/compute01/satosa/default.nix @@ -1,9 +1,6 @@ -{ config, lib, dgn-lib, ... }: +{ config, ... }: -let - inherit (dgn-lib) setDefault; - - host = "saml-idp.dgnum.eu"; +let host = "saml-idp.dgnum.eu"; in { imports = [ ./module.nix ]; @@ -147,8 +144,5 @@ in { forceSSL = true; }; - dgn-secrets.options = [ - (setDefault { owner = "satosa"; } - (builtins.filter (lib.hasPrefix "satosa-") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; }; } diff --git a/machines/compute01/zammad.nix b/machines/compute01/zammad.nix index 56fc5c3..a272e31 100644 --- a/machines/compute01/zammad.nix +++ b/machines/compute01/zammad.nix @@ -51,5 +51,5 @@ in { }; }; - dgn-secrets.options = [{ zammad-secret_key_base_file.owner = "zammad"; }]; + dgn-secrets.matches."^zammad-.*$" = { owner = "zammad"; }; } diff --git a/machines/storage01/forgejo.nix b/machines/storage01/forgejo.nix index deaba9d..5ac1e57 100644 --- a/machines/storage01/forgejo.nix +++ b/machines/storage01/forgejo.nix @@ -1,11 +1,8 @@ -{ config, lib, pkgs, dgn-lib, ... }: +{ config, pkgs, ... }: let - inherit (dgn-lib) setDefault; - port = 3000; host = "git.dgnum.eu"; - in { services.forgejo = { enable = true; @@ -22,9 +19,7 @@ in { }; settings = { - DEFAULT = { - APP_NAME = "Forge git de la DGNum"; - }; + DEFAULT = { APP_NAME = "Forge git de la DGNum"; }; server = { ROOT_URL = "https://${host}/"; @@ -90,8 +85,5 @@ in { users.groups.git = { }; - dgn-secrets.options = [ - (setDefault { owner = "git"; } - (builtins.filter (lib.hasPrefix "forgejo-") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^forgejo-.*$" = { owner = "git"; }; } diff --git a/machines/storage01/peertube.nix b/machines/storage01/peertube.nix index 49c200b..425a561 100644 --- a/machines/storage01/peertube.nix +++ b/machines/storage01/peertube.nix @@ -1,10 +1,6 @@ -{ config, lib, dgn-lib, ... }: - -let - inherit (dgn-lib) setDefault; - - host = "videos.dgnum.eu"; +{ config, ... }: +let host = "videos.dgnum.eu"; in { services.peertube = { enable = true; @@ -63,8 +59,5 @@ in { forceSSL = true; }; - dgn-secrets.options = [ - (setDefault { owner = "peertube"; } - (builtins.filter (lib.hasPrefix "peertube-") config.dgn-secrets.names)) - ]; + dgn-secrets.matches."^peertube-.*$" = { owner = "peertube"; }; } diff --git a/modules/dgn-secrets.nix b/modules/dgn-secrets.nix index 8453213..444be9d 100644 --- a/modules/dgn-secrets.nix +++ b/modules/dgn-secrets.nix @@ -1,4 +1,4 @@ -# Copyright : +# Copyright : # - Tom Hubrecht 2023 # # Ce logiciel est un programme informatique servant à déployer des @@ -39,43 +39,40 @@ let types; - inherit (dgn-lib) - getSecrets - mkBaseSecrets - recursiveFuse; + inherit (dgn-lib) getSecrets mkBaseSecrets recursiveFuse; cfg = config.dgn-secrets; - optionsType = with types; submodule ({ config, ... }: { - options = { - mode = mkOption { - type = str; - default = "0400"; - description = '' - Permissions mode of the decrypted secret in a format understood by chmod. - ''; - }; + optionsType = with types; + submodule ({ config, ... }: { + options = { + mode = mkOption { + type = str; + default = "0400"; + description = '' + Permissions mode of the decrypted secret in a format understood by chmod. + ''; + }; - owner = mkOption { - type = str; - default = "0"; - description = '' - User of the decrypted secret. - ''; - }; + owner = mkOption { + type = str; + default = "0"; + description = '' + User of the decrypted secret. + ''; + }; - group = mkOption { - type = str; - default = config.users.${config.owner}.group or "0"; - description = '' - Group of the decrypted secret. - ''; + group = mkOption { + type = str; + default = config.users.${config.owner}.group or "0"; + description = '' + Group of the decrypted secret. + ''; + }; }; - }; - }); -in + }); -{ +in { options.dgn-secrets = { sources = mkOption { type = with types; listOf path; @@ -95,18 +92,30 @@ in names = mkOption { type = with types; listOf str; - default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ] cfg.sources; + default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ] + cfg.sources; description = '' List of the names of the secrets. ''; }; + + matches = mkOption { + type = with types; attrsOf optionsType; + default = { }; + description = '' + Matches of secret names associated to options. + ''; + }; }; config = { - age.secrets = recursiveFuse (cfg.options ++ ( - builtins.map - (dir: mkBaseSecrets dir (getSecrets dir)) - cfg.sources - )); + dgn-secrets.options = builtins.concatLists (builtins.attrValues + (builtins.mapAttrs (pattern: options: + builtins.map (secret: { ${secret} = options; }) + (builtins.filter (secret: builtins.match pattern secret != null) + cfg.names)) cfg.matches)); + + age.secrets = recursiveFuse (cfg.options + ++ (builtins.map (dir: mkBaseSecrets dir (getSecrets dir)) cfg.sources)); }; }