X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Ftools%2Fether%2Fdefault.nix;h=c4685a443b7db8102388ffc74ce989164e072220;hb=1247e537b0c8e5ed780ab890cbce4612714a0fa7;hp=c4a9932556bbc3b51c19682d0e237e0a1d038ed8;hpb=a952acc4347d5d77b3c67283ca6249b49a6c9231;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix
index c4a9932..c4685a4 100644
--- a/nixops/modules/websites/tools/ether/default.nix
+++ b/nixops/modules/websites/tools/ether/default.nix
@@ -1,10 +1,11 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 let
   etherpad = pkgs.callPackage ./etherpad_lite.nix {
-    inherit (mylibs) fetchedGithub;
+    inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
     env = myconfig.env.tools.etherpad-lite;
   };
 
+  varDir = etherpad.webappDir.varDir;
   cfg = config.services.myWebsites.tools.etherpad-lite;
 in {
   options.services.myWebsites.tools.etherpad-lite = {
@@ -12,6 +13,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    mySecrets.keys = etherpad.keys;
     systemd.services.etherpad-lite = {
       description = "Etherpad-lite";
       wantedBy = [ "multi-user.target" ];
@@ -25,13 +27,16 @@ in {
 
       script = ''
         exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
-          --settings ${etherpad.config}
+          --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
+          --apikey /var/secrets/webapps/tools-etherpad-apikey \
+          --settings /var/secrets/webapps/tools-etherpad
       '';
 
       serviceConfig = {
         DynamicUser = true;
         User = "etherpad-lite";
         Group = "etherpad-lite";
+        SupplementaryGroups = "keys";
         WorkingDirectory = etherpad.webappDir;
         PrivateTmp = true;
         NoNewPrivileges = true;
@@ -42,6 +47,12 @@ in {
         Restart = "always";
         Type = "simple";
         TimeoutSec = 60;
+        # Use ReadWritePaths= instead if varDir is outside of /var/lib
+        StateDirectory="etherpad-lite";
+        ExecStartPre = [
+          "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
+          "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
+        ];
       };
     };