Do not filter keys at application level

It's done in the nixsap.deployment module See b24ae5d345aa84bdba20efbb4a14ddfc9bf39873
author: Igor Pashev <pashev.igor@gmail.com> 2016-10-13 16:21:52 +0300
committer: Igor Pashev <pashev.igor@gmail.com> 2016-10-13 16:27:34 +0300
commit: b40e89f23632d3fabe95bbf214bb77a32567b3d9 (patch)
tree: a76f8222e93152f3886008ad6ef7b6eadbe401ba
parent: b24ae5d345aa84bdba20efbb4a14ddfc9bf39873 (diff)
download: nixsap-b40e89f23632d3fabe95bbf214bb77a32567b3d9.tar.gz
14 files changed, 30 insertions, 45 deletions
diff --git a/modules/apps/filebackup.nix b/modules/apps/filebackup.nix
index 4aee0a9..ec3d84d 100644
--- a/modules/apps/filebackup.nix
+++ b/modules/apps/filebackup.nix
@@ -4,7 +4,7 @@ let
   inherit (builtins)
     isBool isList isString toString ;
   inherit (lib)
-    concatMapStringsSep concatStringsSep filter filterAttrs
+    concatMapStringsSep concatStringsSep filterAttrs
     flatten hasPrefix mapAttrsToList mkIf
     mkOption optionalString removeSuffix ;
   inherit (lib.types)
@@ -203,8 +203,6 @@ let
     exit "$failed"
   '';
 
-  keys = filter (f: f != null && hasPrefix "/run/keys/" f) ( [cfg.s3cfg] );
-
 in {
   options.nixsap.apps.filebackup = {
     user = mkOption {
@@ -265,7 +263,7 @@ in {
 
   config = mkIf (cfg.files != {}) {
     nixsap.system.users.daemons = [ cfg.user ];
-    nixsap.deployment.keyrings.${cfg.user} = keys;
+    nixsap.deployment.keyrings.${cfg.user} = [ cfg.s3cfg ];
     systemd.services.filebackup = {
       description = "Directory backup with tar";
       after = [ "local-fs.target" "keys.target" ];
diff --git a/modules/apps/icinga2.nix b/modules/apps/icinga2.nix
index 6df18fc..e236bf4 100644
--- a/modules/apps/icinga2.nix
+++ b/modules/apps/icinga2.nix
@@ -339,7 +339,7 @@ in {
     ];
     nixsap.system.users.daemons = [ cfg.user ];
     nixsap.system.groups = [ cfg.commandGroup ];
-    nixsap.deployment.keyrings.${cfg.user} = filter (hasPrefix "/run/keys/") cfg.configFiles;
+    nixsap.deployment.keyrings.${cfg.user} = filter (hasPrefix config.nixsap.deployment.keyStore) cfg.configFiles;
     users.users.${cfg.user}.extraGroups = [ "proc" ];
     systemd.services.icinga2 = {
       description = "Icinga2 daemon";
diff --git a/modules/apps/icingaweb2.nix b/modules/apps/icingaweb2.nix
index ed52f86..afb7712 100644
--- a/modules/apps/icingaweb2.nix
+++ b/modules/apps/icingaweb2.nix
@@ -5,7 +5,7 @@ let
   inherit (lib) types
     mkIf mkOption mkEnableOption mkDefault hasPrefix
     concatMapStringsSep filterAttrs recursiveUpdate mapAttrsToList
-    concatStringsSep isString filter genAttrs attrNames
+    concatStringsSep isString genAttrs attrNames
     optionalString mkOptionType any;
   inherit (types)
     bool str int lines path either
@@ -245,9 +245,8 @@ let
       fi
     '';
 
-  keys = filter (p: p != null && hasPrefix "/run/keys/" p)
-          [ cfg.resources.icingaweb2db.passfile
-            cfg.resources.icinga2db.passfile ];
+  keys = [ cfg.resources.icingaweb2db.passfile
+           cfg.resources.icinga2db.passfile ];
 
 in {
 
diff --git a/modules/apps/jenkins/default.nix b/modules/apps/jenkins/default.nix
index d0ccb25..a5edb4b 100644
--- a/modules/apps/jenkins/default.nix
+++ b/modules/apps/jenkins/default.nix
@@ -6,7 +6,7 @@ let
     attrNames isBool isString ;
 
   inherit (lib)
-    concatMapStringsSep concatStringsSep escape filter filterAttrs
+    concatMapStringsSep concatStringsSep escape filterAttrs
     foldAttrs foldl hasPrefix mapAttrs mapAttrsToList mkOption nameValuePair
     optionalString ;
 
@@ -14,7 +14,6 @@ let
     attrsOf submodule ;
 
   explicit = filterAttrs (n: v: n != "_module" && v != null);
-  isKey = s: s != null && hasPrefix "/run/keys/" s;
 
   instances = explicit config.nixsap.apps.jenkins;
   users = mapAttrsToList (_: i: i.user) instances;
@@ -26,10 +25,10 @@ let
   keyrings =
     let
       # This requires read-write mode of evaluation:
-      keys = n: i: filter isKey (import (pkgs.xinclude2nix (
+      keys = n: i: import (pkgs.xinclude2nix (
            (mapAttrsToList (_: f: f) (configFiles n i))
         ++ (mapAttrsToList (_: f: f) (jobFiles n i))
-        )));
+        ));
       ik = mapAttrsToList (n: i: { "${i.user}" = keys n i; } ) instances;
     in foldAttrs (l: r: l ++ r) [] ik;
 
diff --git a/modules/apps/juandelacosa.nix b/modules/apps/juandelacosa.nix
index 8df6af0..d417727 100644
--- a/modules/apps/juandelacosa.nix
+++ b/modules/apps/juandelacosa.nix
@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 
 let
-  inherit (builtins) filter toString;
+  inherit (builtins) toString;
   inherit (lib) types mkOption mkEnableOption mkIf hasPrefix
                 concatStrings optionalString;
   inherit (types) str path int nullOr;
@@ -17,8 +17,6 @@ let
       else " -s '${cfg.socket}'")
   ];
 
-  keys = filter (f: f != null && hasPrefix "/run/keys/" f) [ cfg.myFile ];
-
 in {
   options.nixsap.apps.juandelacosa = {
     enable = mkEnableOption "Juan de la Cosa";
@@ -51,7 +49,7 @@ in {
 
   config = mkIf cfg.enable {
     nixsap.system.users.daemons = [ cfg.user ];
-    nixsap.deployment.keyrings.${cfg.user} = keys;
+    nixsap.deployment.keyrings.${cfg.user} = [ cfg.myFile ];
     systemd.services.juandelacosa = {
       description = "captain of the MariaDB";
       wantedBy = [ "multi-user.target" ];
diff --git a/modules/apps/mariadb/default.nix b/modules/apps/mariadb/default.nix
index cdf5d92..4574be6 100644
--- a/modules/apps/mariadb/default.nix
+++ b/modules/apps/mariadb/default.nix
@@ -255,16 +255,14 @@ let
       }
     '';
 
-  all-keys = unique (filter (f: f != null && hasPrefix "/run/keys/" f ) (flatten (
+  all-keys = flatten (
       mapAttrsToList (ch: {master, mysqldump, ...}:
         [ master.password-file
           master.ssl-key
           mysqldump.password-file
           mysqldump.ssl-key
         ]) (explicit cfg.replicate)
-    ) ++ [
-      cfg.mysqld.ssl_key
-    ]));
+    ) ++ [ cfg.mysqld.ssl_key ];
 
 in {
 
diff --git a/modules/apps/mediawiki/default.nix b/modules/apps/mediawiki/default.nix
index 584d86a..58b8d7e 100644
--- a/modules/apps/mediawiki/default.nix
+++ b/modules/apps/mediawiki/default.nix
@@ -11,7 +11,7 @@ let
     attrsOf bool either enum int lines listOf nullOr path str
     submodule unspecified;
   inherit (builtins)
-    attrNames elem filter isAttrs isBool isList isString toString;
+    attrNames elem isAttrs isBool isList isString toString;
 
   cfg = config.nixsap.apps.mediawiki;
   user = config.nixsap.apps.mediawiki.user;
@@ -34,7 +34,7 @@ let
   concatMapAttrsSep = s: f: attrs: concatStringsSep s (mapAttrsToList f attrs);
   enabledExtentions = attrNames (filterAttrs (_: enabled: enabled) (explicit cfg.extensions));
 
-  keys = filter (hasPrefix "/run/keys/") (mapAttrsToList (_: o: o.password-file) cfg.users);
+  keys = mapAttrsToList (_: o: o.password-file) cfg.users;
 
   settings =
     let
diff --git a/modules/apps/mysqlbackup.nix b/modules/apps/mysqlbackup.nix
index 509e010..e7d81eb 100644
--- a/modules/apps/mysqlbackup.nix
+++ b/modules/apps/mysqlbackup.nix
@@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  inherit (lib) mkOption mkIf mkDefault mapAttrsToList flatten hasPrefix filter
+  inherit (lib) mkOption mkIf mkDefault mapAttrsToList flatten hasPrefix 
                 concatMapStringsSep concatStringsSep optionalString filterAttrs
                 splitString removeSuffix;
   inherit (lib.types) bool str int path either enum nullOr listOf attrsOf submodule;
@@ -99,7 +99,7 @@ let
   );
 
   connectionKeys = flatten (mapAttrsToList (_: s: with s.connection; [ password-file ssl-key ]) cfg.servers);
-  keys = filter (f: f != null && hasPrefix "/run/keys/" f) ( connectionKeys ++ [cfg.s3cfg] );
+  keys =  connectionKeys ++ [ cfg.s3cfg ];
 
   showDatabases = name: server: pkgs.writeText "show-databases-${name}.sql" ''
     SHOW DATABASES WHERE `Database` NOT IN ('information_schema', 'performance_schema', 'tmp', 'innodb')
diff --git a/modules/apps/mywatch.nix b/modules/apps/mywatch.nix
index 732033c..2698ba5 100644
--- a/modules/apps/mywatch.nix
+++ b/modules/apps/mywatch.nix
@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 
 let
-  inherit (builtins) filter toString;
+  inherit (builtins) toString;
   inherit (lib) types mkOption mkEnableOption mkIf hasPrefix
                 concatStrings optionalString;
   inherit (types) str path int nullOr;
@@ -16,8 +16,6 @@ let
     " '${cfg.myFile}'"
   ];
 
-  keys = filter (f: f != null && hasPrefix "/run/keys/" f) [ cfg.myFile ];
-
 in {
   options.nixsap.apps.mywatch = {
     enable = mkEnableOption "MyWatch";
@@ -44,7 +42,7 @@ in {
 
   config = mkIf cfg.enable {
     nixsap.system.users.daemons = [ cfg.user ];
-    nixsap.deployment.keyrings.${cfg.user} = keys;
+    nixsap.deployment.keyrings.${cfg.user} = [ cfg.myFile ];
     systemd.services.mywatch = {
       description = "watch queries on multiple MySQL servers";
       wantedBy = [ "multi-user.target" ];
diff --git a/modules/apps/pgbackup.nix b/modules/apps/pgbackup.nix
index 3428843..7f7c7ca 100644
--- a/modules/apps/pgbackup.nix
+++ b/modules/apps/pgbackup.nix
@@ -4,7 +4,7 @@ let
   inherit (builtins)
     elem isBool isList isString toString ;
   inherit (lib)
-    concatMapStringsSep concatStringsSep filter filterAttrs
+    concatMapStringsSep concatStringsSep filterAttrs
     findFirst flatten hasPrefix mapAttrsToList mkIf
     mkOption optionalString removeSuffix ;
   inherit (lib.types)
@@ -252,7 +252,7 @@ let
     exit "$failed"
   '';
 
-  keys = filter (f: f != null && hasPrefix "/run/keys/" f) ( [cfg.pgpass cfg.s3cfg] );
+  keys = [ cfg.pgpass cfg.s3cfg ];
 
 in {
   options.nixsap.apps.pgbackup = {
diff --git a/modules/apps/postgresql/default.nix b/modules/apps/postgresql/default.nix
index bfbf4bd..5ed6615 100644
--- a/modules/apps/postgresql/default.nix
+++ b/modules/apps/postgresql/default.nix
@@ -5,7 +5,7 @@ let
     match toString ;
 
   inherit (lib)
-    concatMapStrings concatStringsSep filter filterAttrs foldAttrs foldl
+    concatMapStrings concatStringsSep filterAttrs foldAttrs filter foldl
     hasPrefix isBool isInt isList isString length mapAttrs' mapAttrsToList
     mkDefault mkIf mkOption nameValuePair types ;
 
@@ -22,9 +22,7 @@ let
 
   keyrings =
     let
-      isKey = s: s != null && hasPrefix "/run/keys/" s;
-      keys = i: filter isKey [ i.server.ssl_key_file ];
-      ik = mapAttrsToList (_: i: { "${i.user}" = keys i; } ) instances;
+      ik = mapAttrsToList (_: i: { "${i.user}" = [ i.server.ssl_key_file ]; } ) instances;
     in foldAttrs (l: r: l ++ r) [] ik;
 
   mkService = name: opts:
diff --git a/modules/apps/sproxy-web.nix b/modules/apps/sproxy-web.nix
index 351e82d..04ddcdf 100644
--- a/modules/apps/sproxy-web.nix
+++ b/modules/apps/sproxy-web.nix
@@ -4,7 +4,7 @@ let
 
   inherit (builtins) toString ;
   inherit (lib)
-    concatStrings filter hasPrefix mkEnableOption mkIf mkOption
+    concatStrings hasPrefix mkEnableOption mkIf mkOption
     optionalString types ;
   inherit (types)
     int nullOr path str ;
@@ -19,8 +19,6 @@ let
       else " -s '${cfg.socket}'")
   ];
 
-  keys = filter (f: f != null && hasPrefix "/run/keys/" f) [ cfg.pgPassFile ];
-
 in {
   options.nixsap.apps.sproxy-web = {
     enable = mkEnableOption "Sproxy Web";
@@ -53,7 +51,7 @@ in {
 
   config = mkIf cfg.enable {
     nixsap.system.users.daemons = [ cfg.user ];
-    nixsap.deployment.keyrings.${cfg.user} = keys;
+    nixsap.deployment.keyrings.${cfg.user} = [ cfg.pgPassFile ];
     systemd.services.sproxy-web = {
       description = "Web interface to Sproxy database";
       wantedBy = [ "multi-user.target" ];
diff --git a/modules/apps/sproxy.nix b/modules/apps/sproxy.nix
index 2c50554..f6eb2af 100644
--- a/modules/apps/sproxy.nix
+++ b/modules/apps/sproxy.nix
@@ -4,7 +4,7 @@ let
 
   inherit (builtins) toString;
   inherit (lib)
-    filter filterAttrs hasPrefix mapAttrsToList
+    filterAttrs hasPrefix mapAttrsToList
     mkEnableOption concatStrings mkIf mkOption types ;
   inherit (types)
     enum int nullOr attrsOf path str submodule ;
@@ -43,10 +43,9 @@ let
     ''}
   '';
 
-  keys = filter (hasPrefix "/run/keys/")
-       ( [ cfg.sslKey ]
+  keys = [ cfg.sslKey ]
        ++ mapAttrsToList (_: c: c.client_secret_file) (explicit cfg.oauth2)
-       );
+       ;
 
   oauth2 = mkOption {
     type = attrsOf (submodule {
diff --git a/modules/apps/strongswan/default.nix b/modules/apps/strongswan/default.nix
index d9a5034..ca95464 100644
--- a/modules/apps/strongswan/default.nix
+++ b/modules/apps/strongswan/default.nix
@@ -5,7 +5,7 @@ let
   inherit (lib) mkIf mkOption types filterAttrs hasPrefix
                 mapAttrsToList concatStringsSep concatMapStringsSep;
   inherit (types) listOf submodule path attrsOf;
-  inherit (builtins) filter toString toFile isList isBool;
+  inherit (builtins) toString toFile isList isBool;
 
   cfg = config.nixsap.apps.strongswan;
   explicit = filterAttrs (n: v: n != "_module" && v != null);
@@ -81,7 +81,7 @@ in {
   };
 
   config = mkIf ({} != explicit cfg.conn) {
-    nixsap.deployment.keyrings.root = filter (hasPrefix "/run/keys/") cfg.secrets;
+    nixsap.deployment.keyrings.root = cfg.secrets;
     environment.systemPackages = [ pkgs.strongswan ];
     systemd.services.strongswan = {
       description = "strongSwan IPSec Service";
author	Igor Pashev <pashev.igor@gmail.com>	2016-10-13 16:21:52 +0300
committer	Igor Pashev <pashev.igor@gmail.com>	2016-10-13 16:27:34 +0300
commit	b40e89f23632d3fabe95bbf214bb77a32567b3d9 (patch)
tree	a76f8222e93152f3886008ad6ef7b6eadbe401ba
parent	b24ae5d345aa84bdba20efbb4a14ddfc9bf39873 (diff)
download	nixsap-b40e89f23632d3fabe95bbf214bb77a32567b3d9.tar.gz