diff options
author | Igor Pashev <pashev.igor@gmail.com> | 2016-10-13 16:21:52 +0300 |
---|---|---|
committer | Igor Pashev <pashev.igor@gmail.com> | 2016-10-13 16:27:34 +0300 |
commit | b40e89f23632d3fabe95bbf214bb77a32567b3d9 (patch) | |
tree | a76f8222e93152f3886008ad6ef7b6eadbe401ba /modules | |
parent | b24ae5d345aa84bdba20efbb4a14ddfc9bf39873 (diff) | |
download | nixsap-b40e89f23632d3fabe95bbf214bb77a32567b3d9.tar.gz |
Do not filter keys at application level
It's done in the nixsap.deployment module
See b24ae5d345aa84bdba20efbb4a14ddfc9bf39873
Diffstat (limited to 'modules')
-rw-r--r-- | modules/apps/filebackup.nix | 6 | ||||
-rw-r--r-- | modules/apps/icinga2.nix | 2 | ||||
-rw-r--r-- | modules/apps/icingaweb2.nix | 7 | ||||
-rw-r--r-- | modules/apps/jenkins/default.nix | 7 | ||||
-rw-r--r-- | modules/apps/juandelacosa.nix | 6 | ||||
-rw-r--r-- | modules/apps/mariadb/default.nix | 6 | ||||
-rw-r--r-- | modules/apps/mediawiki/default.nix | 4 | ||||
-rw-r--r-- | modules/apps/mysqlbackup.nix | 4 | ||||
-rw-r--r-- | modules/apps/mywatch.nix | 6 | ||||
-rw-r--r-- | modules/apps/pgbackup.nix | 4 | ||||
-rw-r--r-- | modules/apps/postgresql/default.nix | 6 | ||||
-rw-r--r-- | modules/apps/sproxy-web.nix | 6 | ||||
-rw-r--r-- | modules/apps/sproxy.nix | 7 | ||||
-rw-r--r-- | modules/apps/strongswan/default.nix | 4 |
14 files changed, 30 insertions, 45 deletions
diff --git a/modules/apps/filebackup.nix b/modules/apps/filebackup.nix index 4aee0a9..ec3d84d 100644 --- a/modules/apps/filebackup.nix +++ b/modules/apps/filebackup.nix @@ -4,7 +4,7 @@ let inherit (builtins) isBool isList isString toString ; inherit (lib) - concatMapStringsSep concatStringsSep filter filterAttrs + concatMapStringsSep concatStringsSep filterAttrs flatten hasPrefix mapAttrsToList mkIf mkOption optionalString removeSuffix ; inherit (lib.types) @@ -203,8 +203,6 @@ let exit "$failed" ''; - keys = filter (f: f != null && hasPrefix "/run/keys/" f) ( [cfg.s3cfg] ); - in { options.nixsap.apps.filebackup = { user = mkOption { @@ -265,7 +263,7 @@ in { config = mkIf (cfg.files != {}) { nixsap.system.users.daemons = [ cfg.user ]; - nixsap.deployment.keyrings.${cfg.user} = keys; + nixsap.deployment.keyrings.${cfg.user} = [ cfg.s3cfg ]; systemd.services.filebackup = { description = "Directory backup with tar"; after = [ "local-fs.target" "keys.target" ]; diff --git a/modules/apps/icinga2.nix b/modules/apps/icinga2.nix index 6df18fc..e236bf4 100644 --- a/modules/apps/icinga2.nix +++ b/modules/apps/icinga2.nix @@ -339,7 +339,7 @@ in { ]; nixsap.system.users.daemons = [ cfg.user ]; nixsap.system.groups = [ cfg.commandGroup ]; - nixsap.deployment.keyrings.${cfg.user} = filter (hasPrefix "/run/keys/") cfg.configFiles; + nixsap.deployment.keyrings.${cfg.user} = filter (hasPrefix config.nixsap.deployment.keyStore) cfg.configFiles; users.users.${cfg.user}.extraGroups = [ "proc" ]; systemd.services.icinga2 = { description = "Icinga2 daemon"; diff --git a/modules/apps/icingaweb2.nix b/modules/apps/icingaweb2.nix index ed52f86..afb7712 100644 --- a/modules/apps/icingaweb2.nix +++ b/modules/apps/icingaweb2.nix @@ -5,7 +5,7 @@ let inherit (lib) types mkIf mkOption mkEnableOption mkDefault hasPrefix concatMapStringsSep filterAttrs recursiveUpdate mapAttrsToList - concatStringsSep isString filter genAttrs attrNames + concatStringsSep isString genAttrs attrNames optionalString mkOptionType any; inherit (types) bool str int lines path either @@ -245,9 +245,8 @@ let fi ''; - keys = filter (p: p != null && hasPrefix "/run/keys/" p) - [ cfg.resources.icingaweb2db.passfile - cfg.resources.icinga2db.passfile ]; + keys = [ cfg.resources.icingaweb2db.passfile + cfg.resources.icinga2db.passfile ]; in { diff --git a/modules/apps/jenkins/default.nix b/modules/apps/jenkins/default.nix index d0ccb25..a5edb4b 100644 --- a/modules/apps/jenkins/default.nix +++ b/modules/apps/jenkins/default.nix @@ -6,7 +6,7 @@ let attrNames isBool isString ; inherit (lib) - concatMapStringsSep concatStringsSep escape filter filterAttrs + concatMapStringsSep concatStringsSep escape filterAttrs foldAttrs foldl hasPrefix mapAttrs mapAttrsToList mkOption nameValuePair optionalString ; @@ -14,7 +14,6 @@ let attrsOf submodule ; explicit = filterAttrs (n: v: n != "_module" && v != null); - isKey = s: s != null && hasPrefix "/run/keys/" s; instances = explicit config.nixsap.apps.jenkins; users = mapAttrsToList (_: i: i.user) instances; @@ -26,10 +25,10 @@ let keyrings = let # This requires read-write mode of evaluation: - keys = n: i: filter isKey (import (pkgs.xinclude2nix ( + keys = n: i: import (pkgs.xinclude2nix ( (mapAttrsToList (_: f: f) (configFiles n i)) ++ (mapAttrsToList (_: f: f) (jobFiles n i)) - ))); + )); ik = mapAttrsToList (n: i: { "${i.user}" = keys n i; } ) instances; in foldAttrs (l: r: l ++ r) [] ik; diff --git a/modules/apps/juandelacosa.nix b/modules/apps/juandelacosa.nix index 8df6af0..d417727 100644 --- a/modules/apps/juandelacosa.nix +++ b/modules/apps/juandelacosa.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: let - inherit (builtins) filter toString; + inherit (builtins) toString; inherit (lib) types mkOption mkEnableOption mkIf hasPrefix concatStrings optionalString; inherit (types) str path int nullOr; @@ -17,8 +17,6 @@ let else " -s '${cfg.socket}'") ]; - keys = filter (f: f != null && hasPrefix "/run/keys/" f) [ cfg.myFile ]; - in { options.nixsap.apps.juandelacosa = { enable = mkEnableOption "Juan de la Cosa"; @@ -51,7 +49,7 @@ in { config = mkIf cfg.enable { nixsap.system.users.daemons = [ cfg.user ]; - nixsap.deployment.keyrings.${cfg.user} = keys; + nixsap.deployment.keyrings.${cfg.user} = [ cfg.myFile ]; systemd.services.juandelacosa = { description = "captain of the MariaDB"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/apps/mariadb/default.nix b/modules/apps/mariadb/default.nix index cdf5d92..4574be6 100644 --- a/modules/apps/mariadb/default.nix +++ b/modules/apps/mariadb/default.nix @@ -255,16 +255,14 @@ let } ''; - all-keys = unique (filter (f: f != null && hasPrefix "/run/keys/" f ) (flatten ( + all-keys = flatten ( mapAttrsToList (ch: {master, mysqldump, ...}: [ master.password-file master.ssl-key mysqldump.password-file mysqldump.ssl-key ]) (explicit cfg.replicate) - ) ++ [ - cfg.mysqld.ssl_key - ])); + ) ++ [ cfg.mysqld.ssl_key ]; in { diff --git a/modules/apps/mediawiki/default.nix b/modules/apps/mediawiki/default.nix index 584d86a..58b8d7e 100644 --- a/modules/apps/mediawiki/default.nix +++ b/modules/apps/mediawiki/default.nix @@ -11,7 +11,7 @@ let attrsOf bool either enum int lines listOf nullOr path str submodule unspecified; inherit (builtins) - attrNames elem filter isAttrs isBool isList isString toString; + attrNames elem isAttrs isBool isList isString toString; cfg = config.nixsap.apps.mediawiki; user = config.nixsap.apps.mediawiki.user; @@ -34,7 +34,7 @@ let concatMapAttrsSep = s: f: attrs: concatStringsSep s (mapAttrsToList f attrs); enabledExtentions = attrNames (filterAttrs (_: enabled: enabled) (explicit cfg.extensions)); - keys = filter (hasPrefix "/run/keys/") (mapAttrsToList (_: o: o.password-file) cfg.users); + keys = mapAttrsToList (_: o: o.password-file) cfg.users; settings = let diff --git a/modules/apps/mysqlbackup.nix b/modules/apps/mysqlbackup.nix index 509e010..e7d81eb 100644 --- a/modules/apps/mysqlbackup.nix +++ b/modules/apps/mysqlbackup.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - inherit (lib) mkOption mkIf mkDefault mapAttrsToList flatten hasPrefix filter + inherit (lib) mkOption mkIf mkDefault mapAttrsToList flatten hasPrefix concatMapStringsSep concatStringsSep optionalString filterAttrs splitString removeSuffix; inherit (lib.types) bool str int path either enum nullOr listOf attrsOf submodule; @@ -99,7 +99,7 @@ let ); connectionKeys = flatten (mapAttrsToList (_: s: with s.connection; [ password-file ssl-key ]) cfg.servers); - keys = filter (f: f != null && hasPrefix "/run/keys/" f) ( connectionKeys ++ [cfg.s3cfg] ); + keys = connectionKeys ++ [ cfg.s3cfg ]; showDatabases = name: server: pkgs.writeText "show-databases-${name}.sql" '' SHOW DATABASES WHERE `Database` NOT IN ('information_schema', 'performance_schema', 'tmp', 'innodb') diff --git a/modules/apps/mywatch.nix b/modules/apps/mywatch.nix index 732033c..2698ba5 100644 --- a/modules/apps/mywatch.nix +++ b/modules/apps/mywatch.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: let - inherit (builtins) filter toString; + inherit (builtins) toString; inherit (lib) types mkOption mkEnableOption mkIf hasPrefix concatStrings optionalString; inherit (types) str path int nullOr; @@ -16,8 +16,6 @@ let " '${cfg.myFile}'" ]; - keys = filter (f: f != null && hasPrefix "/run/keys/" f) [ cfg.myFile ]; - in { options.nixsap.apps.mywatch = { enable = mkEnableOption "MyWatch"; @@ -44,7 +42,7 @@ in { config = mkIf cfg.enable { nixsap.system.users.daemons = [ cfg.user ]; - nixsap.deployment.keyrings.${cfg.user} = keys; + nixsap.deployment.keyrings.${cfg.user} = [ cfg.myFile ]; systemd.services.mywatch = { description = "watch queries on multiple MySQL servers"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/apps/pgbackup.nix b/modules/apps/pgbackup.nix index 3428843..7f7c7ca 100644 --- a/modules/apps/pgbackup.nix +++ b/modules/apps/pgbackup.nix @@ -4,7 +4,7 @@ let inherit (builtins) elem isBool isList isString toString ; inherit (lib) - concatMapStringsSep concatStringsSep filter filterAttrs + concatMapStringsSep concatStringsSep filterAttrs findFirst flatten hasPrefix mapAttrsToList mkIf mkOption optionalString removeSuffix ; inherit (lib.types) @@ -252,7 +252,7 @@ let exit "$failed" ''; - keys = filter (f: f != null && hasPrefix "/run/keys/" f) ( [cfg.pgpass cfg.s3cfg] ); + keys = [ cfg.pgpass cfg.s3cfg ]; in { options.nixsap.apps.pgbackup = { diff --git a/modules/apps/postgresql/default.nix b/modules/apps/postgresql/default.nix index bfbf4bd..5ed6615 100644 --- a/modules/apps/postgresql/default.nix +++ b/modules/apps/postgresql/default.nix @@ -5,7 +5,7 @@ let match toString ; inherit (lib) - concatMapStrings concatStringsSep filter filterAttrs foldAttrs foldl + concatMapStrings concatStringsSep filterAttrs foldAttrs filter foldl hasPrefix isBool isInt isList isString length mapAttrs' mapAttrsToList mkDefault mkIf mkOption nameValuePair types ; @@ -22,9 +22,7 @@ let keyrings = let - isKey = s: s != null && hasPrefix "/run/keys/" s; - keys = i: filter isKey [ i.server.ssl_key_file ]; - ik = mapAttrsToList (_: i: { "${i.user}" = keys i; } ) instances; + ik = mapAttrsToList (_: i: { "${i.user}" = [ i.server.ssl_key_file ]; } ) instances; in foldAttrs (l: r: l ++ r) [] ik; mkService = name: opts: diff --git a/modules/apps/sproxy-web.nix b/modules/apps/sproxy-web.nix index 351e82d..04ddcdf 100644 --- a/modules/apps/sproxy-web.nix +++ b/modules/apps/sproxy-web.nix @@ -4,7 +4,7 @@ let inherit (builtins) toString ; inherit (lib) - concatStrings filter hasPrefix mkEnableOption mkIf mkOption + concatStrings hasPrefix mkEnableOption mkIf mkOption optionalString types ; inherit (types) int nullOr path str ; @@ -19,8 +19,6 @@ let else " -s '${cfg.socket}'") ]; - keys = filter (f: f != null && hasPrefix "/run/keys/" f) [ cfg.pgPassFile ]; - in { options.nixsap.apps.sproxy-web = { enable = mkEnableOption "Sproxy Web"; @@ -53,7 +51,7 @@ in { config = mkIf cfg.enable { nixsap.system.users.daemons = [ cfg.user ]; - nixsap.deployment.keyrings.${cfg.user} = keys; + nixsap.deployment.keyrings.${cfg.user} = [ cfg.pgPassFile ]; systemd.services.sproxy-web = { description = "Web interface to Sproxy database"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/apps/sproxy.nix b/modules/apps/sproxy.nix index 2c50554..f6eb2af 100644 --- a/modules/apps/sproxy.nix +++ b/modules/apps/sproxy.nix @@ -4,7 +4,7 @@ let inherit (builtins) toString; inherit (lib) - filter filterAttrs hasPrefix mapAttrsToList + filterAttrs hasPrefix mapAttrsToList mkEnableOption concatStrings mkIf mkOption types ; inherit (types) enum int nullOr attrsOf path str submodule ; @@ -43,10 +43,9 @@ let ''} ''; - keys = filter (hasPrefix "/run/keys/") - ( [ cfg.sslKey ] + keys = [ cfg.sslKey ] ++ mapAttrsToList (_: c: c.client_secret_file) (explicit cfg.oauth2) - ); + ; oauth2 = mkOption { type = attrsOf (submodule { diff --git a/modules/apps/strongswan/default.nix b/modules/apps/strongswan/default.nix index d9a5034..ca95464 100644 --- a/modules/apps/strongswan/default.nix +++ b/modules/apps/strongswan/default.nix @@ -5,7 +5,7 @@ let inherit (lib) mkIf mkOption types filterAttrs hasPrefix mapAttrsToList concatStringsSep concatMapStringsSep; inherit (types) listOf submodule path attrsOf; - inherit (builtins) filter toString toFile isList isBool; + inherit (builtins) toString toFile isList isBool; cfg = config.nixsap.apps.strongswan; explicit = filterAttrs (n: v: n != "_module" && v != null); @@ -81,7 +81,7 @@ in { }; config = mkIf ({} != explicit cfg.conn) { - nixsap.deployment.keyrings.root = filter (hasPrefix "/run/keys/") cfg.secrets; + nixsap.deployment.keyrings.root = cfg.secrets; environment.systemPackages = [ pkgs.strongswan ]; systemd.services.strongswan = { description = "strongSwan IPSec Service"; |