feat(dgn-secrets): Add a matches option
This option allows specifying regexes tied to options. When a secret matches a pattern, the the options are applied to it.
This commit is contained in:
parent
18c1fa1ddd
commit
5622bc3748
9 changed files with 71 additions and 107 deletions
|
@ -1,9 +1,6 @@
|
||||||
{ config, lib, dgn-lib, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
let
|
let host = "demarches.dgnum.eu";
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
host = "demarches.dgnum.eu";
|
|
||||||
in {
|
in {
|
||||||
imports = [ ./module.nix ];
|
imports = [ ./module.nix ];
|
||||||
|
|
||||||
|
@ -28,7 +25,8 @@ in {
|
||||||
S3_REGION = "garage";
|
S3_REGION = "garage";
|
||||||
S3_FORCE_PATH_STYLE = "true";
|
S3_FORCE_PATH_STYLE = "true";
|
||||||
S3_ACCESS_KEY_ID = "GK4d244118eac2336ae0ab2dd9";
|
S3_ACCESS_KEY_ID = "GK4d244118eac2336ae0ab2dd9";
|
||||||
S3_SECRET_ACCESS_KEY = "61100261fb0a0c861371596f9ffcd1e83134301a6d0c665a077135af04ba18c3";
|
S3_SECRET_ACCESS_KEY =
|
||||||
|
"61100261fb0a0c861371596f9ffcd1e83134301a6d0c665a077135af04ba18c3";
|
||||||
|
|
||||||
# SAML_IDP_ENABLED = "enabled";
|
# SAML_IDP_ENABLED = "enabled";
|
||||||
|
|
||||||
|
@ -51,8 +49,7 @@ in {
|
||||||
CONTACT_EMAIL = "demarches@infra.dgnum.eu";
|
CONTACT_EMAIL = "demarches@infra.dgnum.eu";
|
||||||
EQUIPE_EMAIL = "equipe@infra.dgnum.eu";
|
EQUIPE_EMAIL = "equipe@infra.dgnum.eu";
|
||||||
TECH_EMAIL = "tech@infra.dgnum.eu";
|
TECH_EMAIL = "tech@infra.dgnum.eu";
|
||||||
NO_REPLY_EMAIL =
|
NO_REPLY_EMAIL = ''"Ne pas répondre <demarches@infra.dgnum.eu>"'';
|
||||||
''"Ne pas répondre <demarches@infra.dgnum.eu>"'';
|
|
||||||
OLD_CONTACT_EMAIL = "";
|
OLD_CONTACT_EMAIL = "";
|
||||||
CONTACT_PHONE = "";
|
CONTACT_PHONE = "";
|
||||||
|
|
||||||
|
@ -63,10 +60,7 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^ds_fr-.*$" = { owner = "ds-fr"; };
|
||||||
(setDefault { owner = "ds-fr"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "ds_fr") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
|
|
||||||
users.users.ds-fr.extraGroups = [ "sendmail" ];
|
users.users.ds-fr.extraGroups = [ "sendmail" ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
{ config, lib, dgn-lib, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
let
|
let host = "social.dgnum.eu";
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
host = "social.dgnum.eu";
|
|
||||||
in {
|
in {
|
||||||
services.mastodon = {
|
services.mastodon = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -39,8 +36,5 @@ in {
|
||||||
extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ];
|
extraEnvFiles = [ config.age.secrets."mastodon-extra_env_file".path ];
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^mastodon-.*$" = { owner = "mastodon"; };
|
||||||
(setDefault { owner = "mastodon"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "mastodon-") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
{ config, lib, pkgs, dgn-lib, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let host = "cloud.dgnum.eu";
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
host = "cloud.dgnum.eu";
|
|
||||||
in {
|
in {
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -71,8 +68,5 @@ in {
|
||||||
exif
|
exif
|
||||||
];
|
];
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^nextcloud-.*$" = { owner = "nextcloud"; };
|
||||||
(setDefault { owner = "nextcloud"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "nextcloud-") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
{ config, lib, dgn-lib, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
let
|
let host = "docs.dgnum.eu";
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
host = "docs.dgnum.eu";
|
|
||||||
in {
|
in {
|
||||||
services.outline = {
|
services.outline = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -57,8 +54,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^outline-.*$" = { owner = "outline"; };
|
||||||
(setDefault { owner = "outline"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "outline-") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
{ config, lib, dgn-lib, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
let
|
let host = "saml-idp.dgnum.eu";
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
host = "saml-idp.dgnum.eu";
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
imports = [ ./module.nix ];
|
imports = [ ./module.nix ];
|
||||||
|
@ -147,8 +144,5 @@ in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^satosa-.*$" = { owner = "satosa"; };
|
||||||
(setDefault { owner = "satosa"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "satosa-") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,5 +51,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.options = [{ zammad-secret_key_base_file.owner = "zammad"; }];
|
dgn-secrets.matches."^zammad-.*$" = { owner = "zammad"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,8 @@
|
||||||
{ config, lib, pkgs, dgn-lib, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
port = 3000;
|
port = 3000;
|
||||||
host = "git.dgnum.eu";
|
host = "git.dgnum.eu";
|
||||||
|
|
||||||
in {
|
in {
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -22,9 +19,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
DEFAULT = {
|
DEFAULT = { APP_NAME = "Forge git de la DGNum"; };
|
||||||
APP_NAME = "Forge git de la DGNum";
|
|
||||||
};
|
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
ROOT_URL = "https://${host}/";
|
ROOT_URL = "https://${host}/";
|
||||||
|
@ -90,8 +85,5 @@ in {
|
||||||
|
|
||||||
users.groups.git = { };
|
users.groups.git = { };
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^forgejo-.*$" = { owner = "git"; };
|
||||||
(setDefault { owner = "git"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "forgejo-") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,6 @@
|
||||||
{ config, lib, dgn-lib, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
let
|
|
||||||
inherit (dgn-lib) setDefault;
|
|
||||||
|
|
||||||
host = "videos.dgnum.eu";
|
|
||||||
|
|
||||||
|
let host = "videos.dgnum.eu";
|
||||||
in {
|
in {
|
||||||
services.peertube = {
|
services.peertube = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -63,8 +59,5 @@ in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
dgn-secrets.options = [
|
dgn-secrets.matches."^peertube-.*$" = { owner = "peertube"; };
|
||||||
(setDefault { owner = "peertube"; }
|
|
||||||
(builtins.filter (lib.hasPrefix "peertube-") config.dgn-secrets.names))
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright :
|
# Copyright :
|
||||||
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
||||||
#
|
#
|
||||||
# Ce logiciel est un programme informatique servant à déployer des
|
# Ce logiciel est un programme informatique servant à déployer des
|
||||||
|
@ -39,43 +39,40 @@ let
|
||||||
|
|
||||||
types;
|
types;
|
||||||
|
|
||||||
inherit (dgn-lib)
|
inherit (dgn-lib) getSecrets mkBaseSecrets recursiveFuse;
|
||||||
getSecrets
|
|
||||||
mkBaseSecrets
|
|
||||||
recursiveFuse;
|
|
||||||
|
|
||||||
cfg = config.dgn-secrets;
|
cfg = config.dgn-secrets;
|
||||||
|
|
||||||
optionsType = with types; submodule ({ config, ... }: {
|
optionsType = with types;
|
||||||
options = {
|
submodule ({ config, ... }: {
|
||||||
mode = mkOption {
|
options = {
|
||||||
type = str;
|
mode = mkOption {
|
||||||
default = "0400";
|
type = str;
|
||||||
description = ''
|
default = "0400";
|
||||||
Permissions mode of the decrypted secret in a format understood by chmod.
|
description = ''
|
||||||
'';
|
Permissions mode of the decrypted secret in a format understood by chmod.
|
||||||
};
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
owner = mkOption {
|
owner = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
default = "0";
|
default = "0";
|
||||||
description = ''
|
description = ''
|
||||||
User of the decrypted secret.
|
User of the decrypted secret.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
group = mkOption {
|
group = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
default = config.users.${config.owner}.group or "0";
|
default = config.users.${config.owner}.group or "0";
|
||||||
description = ''
|
description = ''
|
||||||
Group of the decrypted secret.
|
Group of the decrypted secret.
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
});
|
||||||
});
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
in {
|
||||||
options.dgn-secrets = {
|
options.dgn-secrets = {
|
||||||
sources = mkOption {
|
sources = mkOption {
|
||||||
type = with types; listOf path;
|
type = with types; listOf path;
|
||||||
|
@ -95,18 +92,30 @@ in
|
||||||
|
|
||||||
names = mkOption {
|
names = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ] cfg.sources;
|
default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ]
|
||||||
|
cfg.sources;
|
||||||
description = ''
|
description = ''
|
||||||
List of the names of the secrets.
|
List of the names of the secrets.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
matches = mkOption {
|
||||||
|
type = with types; attrsOf optionsType;
|
||||||
|
default = { };
|
||||||
|
description = ''
|
||||||
|
Matches of secret names associated to options.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
age.secrets = recursiveFuse (cfg.options ++ (
|
dgn-secrets.options = builtins.concatLists (builtins.attrValues
|
||||||
builtins.map
|
(builtins.mapAttrs (pattern: options:
|
||||||
(dir: mkBaseSecrets dir (getSecrets dir))
|
builtins.map (secret: { ${secret} = options; })
|
||||||
cfg.sources
|
(builtins.filter (secret: builtins.match pattern secret != null)
|
||||||
));
|
cfg.names)) cfg.matches));
|
||||||
|
|
||||||
|
age.secrets = recursiveFuse (cfg.options
|
||||||
|
++ (builtins.map (dir: mkBaseSecrets dir (getSecrets dir)) cfg.sources));
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue