feat(dgn-secrets): Add a matches option

This option allows specifying regexes tied to options.
When a secret matches a pattern, the the options are applied to it.
This commit is contained in:
Tom Hubrecht 2023-10-02 22:48:18 +02:00
parent 18c1fa1ddd
commit 5622bc3748
9 changed files with 71 additions and 107 deletions

View file

@ -1,9 +1,6 @@
{ config, lib, dgn-lib, ... }: { config, ... }:
let let host = "demarches.dgnum.eu";
inherit (dgn-lib) setDefault;
host = "demarches.dgnum.eu";
in { in {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
@ -28,7 +25,8 @@ in {
S3_REGION = "garage"; S3_REGION = "garage";
S3_FORCE_PATH_STYLE = "true"; S3_FORCE_PATH_STYLE = "true";
S3_ACCESS_KEY_ID = "GK4d244118eac2336ae0ab2dd9"; S3_ACCESS_KEY_ID = "GK4d244118eac2336ae0ab2dd9";
S3_SECRET_ACCESS_KEY = "61100261fb0a0c861371596f9ffcd1e83134301a6d0c665a077135af04ba18c3"; S3_SECRET_ACCESS_KEY =
"61100261fb0a0c861371596f9ffcd1e83134301a6d0c665a077135af04ba18c3";
# SAML_IDP_ENABLED = "enabled"; # SAML_IDP_ENABLED = "enabled";
@ -51,8 +49,7 @@ in {
CONTACT_EMAIL = "demarches@infra.dgnum.eu"; CONTACT_EMAIL = "demarches@infra.dgnum.eu";
EQUIPE_EMAIL = "equipe@infra.dgnum.eu"; EQUIPE_EMAIL = "equipe@infra.dgnum.eu";
TECH_EMAIL = "tech@infra.dgnum.eu"; TECH_EMAIL = "tech@infra.dgnum.eu";
NO_REPLY_EMAIL = NO_REPLY_EMAIL = ''"Ne pas répondre <demarches@infra.dgnum.eu>"'';
''"Ne pas répondre <demarches@infra.dgnum.eu>"'';
OLD_CONTACT_EMAIL = ""; OLD_CONTACT_EMAIL = "";
CONTACT_PHONE = ""; CONTACT_PHONE = "";
@ -63,10 +60,7 @@ in {
}; };
}; };
dgn-secrets.options = [ dgn-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; };
(setDefault { owner = "ds-fr"; }
(builtins.filter (lib.hasPrefix "ds_fr") config.dgn-secrets.names))
];
users.users.ds-fr.extraGroups = [ "sendmail" ]; users.users.ds-fr.extraGroups = [ "sendmail" ];
} }

View file

@ -1,9 +1,6 @@
{ config, lib, dgn-lib, ... }: { config, ... }:
let let host = "social.dgnum.eu";
inherit (dgn-lib) setDefault;
host = "social.dgnum.eu";
in { in {
services.mastodon = { services.mastodon = {
enable = true; enable = true;
@ -39,8 +36,5 @@ in {
extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ]; extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ];
}; };
dgn-secrets.options = [ dgn-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; };
(setDefault { owner = "mastodon"; }
(builtins.filter (lib.hasPrefix "mastodon-") config.dgn-secrets.names))
];
} }

View file

@ -1,9 +1,6 @@
{ config, lib, pkgs, dgn-lib, ... }: { config, pkgs, ... }:
let let host = "cloud.dgnum.eu";
inherit (dgn-lib) setDefault;
host = "cloud.dgnum.eu";
in { in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
@ -71,8 +68,5 @@ in {
exif exif
]; ];
dgn-secrets.options = [ dgn-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; };
(setDefault { owner = "nextcloud"; }
(builtins.filter (lib.hasPrefix "nextcloud-") config.dgn-secrets.names))
];
} }

View file

@ -1,9 +1,6 @@
{ config, lib, dgn-lib, ... }: { config, ... }:
let let host = "docs.dgnum.eu";
inherit (dgn-lib) setDefault;
host = "docs.dgnum.eu";
in { in {
services.outline = { services.outline = {
enable = true; enable = true;
@ -57,8 +54,5 @@ in {
}; };
}; };
dgn-secrets.options = [ dgn-secrets.matches."^outline-.*$" = { owner = "outline"; };
(setDefault { owner = "outline"; }
(builtins.filter (lib.hasPrefix "outline-") config.dgn-secrets.names))
];
} }

View file

@ -1,9 +1,6 @@
{ config, lib, dgn-lib, ... }: { config, ... }:
let let host = "saml-idp.dgnum.eu";
inherit (dgn-lib) setDefault;
host = "saml-idp.dgnum.eu";
in { in {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
@ -147,8 +144,5 @@ in {
forceSSL = true; forceSSL = true;
}; };
dgn-secrets.options = [ dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
(setDefault { owner = "satosa"; }
(builtins.filter (lib.hasPrefix "satosa-") config.dgn-secrets.names))
];
} }

View file

@ -51,5 +51,5 @@ in {
}; };
}; };
dgn-secrets.options = [{ zammad-secret_key_base_file.owner = "zammad"; }]; dgn-secrets.matches."^zammad-.*$" = { owner = "zammad"; };
} }

View file

@ -1,11 +1,8 @@
{ config, lib, pkgs, dgn-lib, ... }: { config, pkgs, ... }:
let let
inherit (dgn-lib) setDefault;
port = 3000; port = 3000;
host = "git.dgnum.eu"; host = "git.dgnum.eu";
in { in {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
@ -22,9 +19,7 @@ in {
}; };
settings = { settings = {
DEFAULT = { DEFAULT = { APP_NAME = "Forge git de la DGNum"; };
APP_NAME = "Forge git de la DGNum";
};
server = { server = {
ROOT_URL = "https://${host}/"; ROOT_URL = "https://${host}/";
@ -90,8 +85,5 @@ in {
users.groups.git = { }; users.groups.git = { };
dgn-secrets.options = [ dgn-secrets.matches."^forgejo-.*$" = { owner = "git"; };
(setDefault { owner = "git"; }
(builtins.filter (lib.hasPrefix "forgejo-") config.dgn-secrets.names))
];
} }

View file

@ -1,10 +1,6 @@
{ config, lib, dgn-lib, ... }: { config, ... }:
let
inherit (dgn-lib) setDefault;
host = "videos.dgnum.eu";
let host = "videos.dgnum.eu";
in { in {
services.peertube = { services.peertube = {
enable = true; enable = true;
@ -63,8 +59,5 @@ in {
forceSSL = true; forceSSL = true;
}; };
dgn-secrets.options = [ dgn-secrets.matches."^peertube-.*$" = { owner = "peertube"; };
(setDefault { owner = "peertube"; }
(builtins.filter (lib.hasPrefix "peertube-") config.dgn-secrets.names))
];
} }

View file

@ -39,14 +39,12 @@ let
types; types;
inherit (dgn-lib) inherit (dgn-lib) getSecrets mkBaseSecrets recursiveFuse;
getSecrets
mkBaseSecrets
recursiveFuse;
cfg = config.dgn-secrets; cfg = config.dgn-secrets;
optionsType = with types; submodule ({ config, ... }: { optionsType = with types;
submodule ({ config, ... }: {
options = { options = {
mode = mkOption { mode = mkOption {
type = str; type = str;
@ -73,9 +71,8 @@ let
}; };
}; };
}); });
in
{ in {
options.dgn-secrets = { options.dgn-secrets = {
sources = mkOption { sources = mkOption {
type = with types; listOf path; type = with types; listOf path;
@ -95,18 +92,30 @@ in
names = mkOption { names = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ] cfg.sources; default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ]
cfg.sources;
description = '' description = ''
List of the names of the secrets. List of the names of the secrets.
''; '';
}; };
matches = mkOption {
type = with types; attrsOf optionsType;
default = { };
description = ''
Matches of secret names associated to options.
'';
};
}; };
config = { config = {
age.secrets = recursiveFuse (cfg.options ++ ( dgn-secrets.options = builtins.concatLists (builtins.attrValues
builtins.map (builtins.mapAttrs (pattern: options:
(dir: mkBaseSecrets dir (getSecrets dir)) builtins.map (secret: { ${secret} = options; })
cfg.sources (builtins.filter (secret: builtins.match pattern secret != null)
)); cfg.names)) cfg.matches));
age.secrets = recursiveFuse (cfg.options
++ (builtins.map (dir: mkBaseSecrets dir (getSecrets dir)) cfg.sources));
}; };
} }