From 42fa50f1fa75f62c6e9cada076860196e8185641 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 22 Apr 2019 15:32:34 +0200 Subject: [PATCH] Move nextcloud passwords to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- .../modules/websites/tools/cloud/default.nix | 1 + .../websites/tools/cloud/nextcloud.nix | 125 +++++++++--------- 2 files changed, 60 insertions(+), 66 deletions(-) diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix index dc3dde2..7dd37f5 100644 --- a/nixops/modules/websites/tools/cloud/default.nix +++ b/nixops/modules/websites/tools/cloud/default.nix @@ -24,6 +24,7 @@ in { ]; }; + deployment.keys = nextcloud.keys; users.users.root.packages = let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} diff --git a/nixops/modules/websites/tools/cloud/nextcloud.nix b/nixops/modules/websites/tools/cloud/nextcloud.nix index 59930fb..b339038 100644 --- a/nixops/modules/websites/tools/cloud/nextcloud.nix +++ b/nixops/modules/websites/tools/cloud/nextcloud.nix @@ -113,66 +113,62 @@ let }; in rec { varDir = "/var/lib/nextcloud"; - config_php = writeText "config.php" '' - '${env.instance_id}1', - 'datadirectory' => '/var/lib/nextcloud/', - 'passwordsalt' => '${env.password_salt}', - 'debug' => false, - 'dbtype' => 'pgsql', - 'version' => '15.0.0.10', - 'dbname' => '${env.postgresql.database}', - 'dbhost' => '${env.postgresql.socket}', - 'dbtableprefix' => 'oc_', - 'dbuser' => '${env.postgresql.user}', - 'dbpassword' => '${env.postgresql.password}', - 'installed' => true, - 'maxZipInputSize' => 0, - 'allowZipDownload' => true, - 'forcessl' => true, - 'theme' => ${"''"}, - 'maintenance' => false, - 'trusted_domains' => - array ( - 0 => 'cloud.immae.eu', - ), - 'secret' => '${env.secret}', - 'appstoreenabled' => false, - 'appstore.experimental.enabled' => true, - 'loglevel' => 2, - 'trashbin_retention_obligation' => 'auto', - 'htaccess.RewriteBase' => '/', - 'mail_smtpmode' => 'sendmail', - 'mail_smtphost' => '127.0.0.1', - 'mail_smtpname' => ''', - 'mail_smtppassword' => ''', - 'mail_from_address' => 'nextcloud', - 'mail_smtpauth' => false, - 'mail_domain' => 'tools.immae.eu', - 'memcache.local' => '\\OC\\Memcache\\APCu', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'filelocking.enabled' => true, - 'redis' => - array ( - 'host' => '${env.redis.socket}', - 'port' => 0, - 'dbindex' => ${env.redis.db_index}, - ), - 'overwrite.cli.url' => 'https://cloud.immae.eu', - 'ldapIgnoreNamingRules' => false, - 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', - ); - ''; - config = stdenv.mkDerivation rec { - name = "nextcloud-config"; - src = ./nextcloud-config; - phases = "installPhase"; - installPhase = '' - mkdir -p $out - cp -r $src/* $out - cp ${config_php} $out/config.php + keys.tools-nextcloud = { + destDir = "/run/keys/webapps"; + user = apache.user; + group = apache.group; + permissions = "0600"; + text = '' + '${env.instance_id}1', + 'datadirectory' => '/var/lib/nextcloud/', + 'passwordsalt' => '${env.password_salt}', + 'debug' => false, + 'dbtype' => 'pgsql', + 'version' => '15.0.4.0', + 'dbname' => '${env.postgresql.database}', + 'dbhost' => '${env.postgresql.socket}', + 'dbtableprefix' => 'oc_', + 'dbuser' => '${env.postgresql.user}', + 'dbpassword' => '${env.postgresql.password}', + 'installed' => true, + 'maxZipInputSize' => 0, + 'allowZipDownload' => true, + 'forcessl' => true, + 'theme' => ${"''"}, + 'maintenance' => false, + 'trusted_domains' => + array ( + 0 => 'cloud.immae.eu', + ), + 'secret' => '${env.secret}', + 'appstoreenabled' => false, + 'appstore.experimental.enabled' => true, + 'loglevel' => 2, + 'trashbin_retention_obligation' => 'auto', + 'htaccess.RewriteBase' => '/', + 'mail_smtpmode' => 'sendmail', + 'mail_smtphost' => '127.0.0.1', + 'mail_smtpname' => ''', + 'mail_smtppassword' => ''', + 'mail_from_address' => 'nextcloud', + 'mail_smtpauth' => false, + 'mail_domain' => 'tools.immae.eu', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'filelocking.enabled' => true, + 'redis' => + array ( + 'host' => '${env.redis.socket}', + 'port' => 0, + 'dbindex' => ${env.redis.db_index}, + ), + 'overwrite.cli.url' => 'https://cloud.immae.eu', + 'ldapIgnoreNamingRules' => false, + 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', + ); ''; }; webRoot = stdenv.mkDerivation rec { @@ -207,11 +203,8 @@ let text = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions - if [ ! -e ${varDir}/config ]; then - cp -a ${config} ${varDir}/config - chown -R ${apache.user}:${apache.group} ${varDir}/config - chmod -R u+w ${varDir}/config - fi + install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config + install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php ''; }; apache = rec { @@ -243,7 +236,7 @@ let }; phpFpm = rec { basedir = builtins.concatStringsSep ":" ( - [ webRoot varDir config ] + [ webRoot varDir ] ++ lib.attrsets.mapAttrsToList (name: value: value) apps); socket = "/var/run/phpfpm/nextcloud.sock"; phpConfig = '' -- 2.41.0