X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Ftools%2Fdiaspora%2Fdiaspora.nix;h=01aac89e4339e33f7168c8522eb6925473ab46ff;hb=452c23140ea93ce301e7fafdc37d28009bd6f613;hp=778fe267f415e494914b4d6ffc8bcbd59c757c6b;hpb=3c8d7f8706433ce0f995f3bf37fdfd348fb9e173;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix
index 778fe26..01aac89 100644
--- a/nixops/modules/websites/tools/diaspora/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -1,29 +1,50 @@
 { env, fetchedGithub, stdenv, defaultGemConfig, writeText, bundlerEnv, ruby_2_4, pkgs, cacert }:
 let
-  gems = bundlerEnv {
-    name = "diaspora-env";
-    ruby = ruby_2_4;
-    gemdir = ./.;
-    gemConfig = defaultGemConfig // {
-      kostya-sigar = attrs: {
-        buildInputs = with pkgs; [ pkgs.perl ];
-      };
-    };
-  };
   varDir = "/var/lib/diaspora_immae";
   socketsDir = "/run/diaspora";
   diaspora = stdenv.mkDerivation (fetchedGithub ./diaspora.json // rec {
     buildPhase = ''
       patch -p1 < ${./ldap.patch}
+      # FIXME: bundlerEnv below doesn't take postgresql group for some
+      # reason
+      echo 'gem "pg",     "1.1.3"' >> Gemfile
     '';
     installPhase = ''
       cp -a . $out
     '';
   });
-  secret_token = writeText "secret_token.rb" ''
-    Diaspora::Application.config.secret_key_base = '${env.secret_token}'
-    '';
-  config = writeText "diaspora.yml" ''
+  gems = bundlerEnv {
+    name = "diaspora-env";
+    # https://git.immae.eu/mantisbt/view.php?id=131
+    ruby = ruby_2_4.overrideAttrs(old: {
+      postInstall = builtins.replaceStrings [" --destdir $GEM_HOME"] [""] old.postInstall;
+    });
+    gemfile = "${diaspora}/Gemfile";
+    lockfile = "${diaspora}/Gemfile.lock";
+    gemset = ./gemset.nix;
+    groups = [ "postgresql" "default" "production" ];
+    gemConfig = defaultGemConfig // {
+      kostya-sigar = attrs: {
+        buildInputs = [ pkgs.perl ];
+      };
+    };
+  };
+  keys = {
+    secret_token = {
+      dest = "webapps/tools-diaspora-secret_token";
+      user = "diaspora";
+      group = "diaspora";
+      permissions = "0400";
+      text = ''
+        Diaspora::Application.config.secret_key_base = '${env.secret_token}'
+      '';
+    };
+    config = {
+      dest = "webapps/tools-diaspora-config";
+      user = "diaspora";
+      group = "diaspora";
+      permissions = "0400";
+      text = ''
       configuration:
         environment:
           url: "https://diaspora.immae.eu/"
@@ -68,14 +89,14 @@ let
           wordpress:
         mail:
           enable: true
-          sender_address: 'diaspora@immae.eu'
+          sender_address: 'diaspora@tools.immae.eu'
           method: 'sendmail'
           smtp:
           sendmail:
             location: '/run/wrappers/bin/sendmail'
         admins:
           account: "ismael"
-          podmin_email: 'diaspora@immae.eu'
+          podmin_email: 'diaspora@tools.immae.eu'
         relay:
           outbound:
           inbound:
@@ -95,8 +116,14 @@ let
         environment:
       development:
         environment:
-    '';
-  database_config = writeText "database.yml" ''
+      '';
+    };
+    database = {
+      dest = "webapps/tools-diaspora-database_config";
+      user = "diaspora";
+      group = "diaspora";
+      permissions = "0400";
+      text = ''
       postgresql: &postgresql
         adapter: postgresql
         host: "${env.postgresql.socket}"
@@ -123,24 +150,29 @@ let
       integration2:
         <<: *combined
         database: diaspora_integration2
-    '';
-
+      '';
+    };
+  };
     railsRoot = stdenv.mkDerivation {
       name = "diaspora_immae";
       inherit diaspora;
+      # FIXME: build machine will contain some passwords in the nix store
       builder = writeText "build_diaspora_immae" ''
         source $stdenv/setup
         cp -a $diaspora $out
         cd $out
         chmod -R u+rwX .
         tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}
-        ln -s ${database_config} config/database.yml
-        ln -s ${config} config/diaspora.yml
-        ln -s ${secret_token} config/initializers/secret_token.rb
+        ln -s ${writeText "database.yml" keys.database.text} config/database.yml
+        ln -s ${writeText "diaspora.yml" keys.config.text} config/diaspora.yml
+        ln -s ${writeText "secret_token.rb" keys.secret_token.text} config/initializers/secret_token.rb
         ln -sf ${varDir}/schedule.yml config/schedule.yml
         ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem
         ln -sf ${varDir}/uploads public/uploads
         RAILS_ENV=production ${gems}/bin/rake assets:precompile
+        ln -sf /var/secrets/webapps/tools-diaspora-database_config config/database.yml
+        ln -sf /var/secrets/webapps/tools-diaspora-config config/diaspora.yml
+        ln -sf /var/secrets/webapps/tools-diaspora-secret_token config/initializers/secret_token.rb
         rm -rf tmp log
         ln -sf ${varDir}/tmp tmp
         ln -sf ${varDir}/log log
@@ -150,5 +182,6 @@ let
 in
   {
     inherit railsRoot varDir socketsDir gems;
+    keys = builtins.attrValues keys;
     railsSocket = "${socketsDir}/diaspora.sock";
   }