]> git.immae.eu Git - perso/Immae/Config/Nix.git/commitdiff
projects / perso / Immae / Config / Nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a840a21)
Move shaarli passwords to secure location
authorIsmaël Bouya <ismael.bouya@normalesup.org>
Sun, 14 Apr 2019 23:17:31 +0000 (01:17 +0200)
committerIsmaël Bouya <ismael.bouya@normalesup.org>
Sun, 14 Apr 2019 23:17:31 +0000 (01:17 +0200)
Related issue: https://git.immae.eu/mantisbt/view.php?id=122

nixops/modules/websites/phpfpm/default.nix patch | blob | blame | history
nixops/modules/websites/tools/tools/default.nix patch | blob | blame | history
nixops/modules/websites/tools/tools/shaarli.nix patch | blob | blame | history

diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix
index 882babcd8e9d61a94c9869c3600dee37db2278cb..9c068bf604080420f059ce07ba95960304d981cb 100644 (file)
--- a/nixops/modules/websites/phpfpm/default.nix
+++ b/nixops/modules/websites/phpfpm/default.nix
@@ -83,6 +83,18 @@ in {
         '';
       };
 
+      envFile = mkOption {
+        default = {};
+        type = types.attrsOf types.string;
+        example = literalExample ''
+          { mypool = "path/to/file";
+          }
+        '';
+        description = ''
+          Extra environment file go into the service script.
+        '';
+      };
+
       poolPhpConfigs = mkOption {
         default = {};
         type = types.attrsOf types.lines;
@@ -174,6 +186,7 @@ in {
           cfgFile = fpmCfgFile pool poolConfig;
           poolPhpIni = cfg.poolPhpConfigs.${pool} or "";
         in {
+          EnvironmentFile = if builtins.hasAttr pool cfg.envFile then [cfg.envFile.${pool}] else [];
           Slice = "phpfpm.slice";
           PrivateDevices = true;
           ProtectSystem = "full";
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 3d5465f0650fe01486a99d2daec9e944a01551cf..31ed03561c278fb304d5ef80a4522b77ed9cf1c8 100644 (file)
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -50,6 +50,7 @@ in {
       kanboard.keys
       // ldap.keys
       // roundcubemail.keys
+      // shaarli.keys
       // ttrss.keys
       // wallabag.keys
       // yourls.keys;
@@ -137,12 +138,17 @@ in {
       ];
     };
 
+    services.myPhpfpm.envFile = {
+      shaarli = shaarli.phpFpm.envFile;
+    };
+
     services.myPhpfpm.serviceDependencies = {
       dokuwiki = dokuwiki.phpFpm.serviceDeps;
       kanboard = kanboard.phpFpm.serviceDeps;
       ldap = ldap.phpFpm.serviceDeps;
       rainloop = rainloop.phpFpm.serviceDeps;
       roundcubemail = roundcubemail.phpFpm.serviceDeps;
+      shaarli = shaarli.phpFpm.serviceDeps;
       ttrss = ttrss.phpFpm.serviceDeps;
       wallabag = wallabag.phpFpm.serviceDeps;
       yourls = yourls.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 0f6b4605de1d595d8d3d9f6acb8b0a4d45ad1aac..157c4de661ac2cac58c4e1c8eca757f393426e2c 100644 (file)
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -50,12 +50,6 @@ in rec {
       Alias /Shaarli "${root}"
 
       <Directory "${root}">
-        SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
-        SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
-        SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
-        SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
-        SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
-
         DirectoryIndex index.php index.htm index.html
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride All
@@ -66,7 +60,22 @@ in rec {
       </Directory>
       '';
   };
+  keys.tools-shaarli = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      SHAARLI_LDAP_PASSWORD="${env.ldap.password}"
+      SHAARLI_LDAP_DN="${env.ldap.dn}"
+      SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}"
+      SHAARLI_LDAP_BASE="${env.ldap.base}"
+      SHAARLI_LDAP_FILTER="${env.ldap.search}"
+      '';
+  };
   phpFpm = rec {
+    serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ];
+    envFile = "/run/keys/webapps/tools-shaarli";
     basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
     socket = "/var/run/phpfpm/shaarli.sock";
     pool = ''
@@ -78,6 +87,7 @@ in rec {
         pm = ondemand
         pm.max_children = 60
         pm.process_idle_timeout = 60
+        clear_env = no
 
         ; Needed to avoid clashes in browser cookies (same domain)
         php_value[session.name] = ShaarliPHPSESSID
My infrastructure configuration