From 914dd76ceccc2de3bd5ffa176cf7984ad1bd5581 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sat, 20 Apr 2019 17:01:31 +0200
Subject: [PATCH] Move ympd password to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
---
 nixops/modules/mpd/default.nix                |  6 +++++
 .../modules/websites/tools/tools/default.nix  | 13 +++++++++--
 .../tools/tools/ympd-password-env.patch       | 23 +++++++++++++++++++
 nixops/modules/websites/tools/tools/ympd.nix  |  6 ++---
 4 files changed, 42 insertions(+), 6 deletions(-)
 create mode 100644 nixops/modules/websites/tools/tools/ympd-password-env.patch

diff --git a/nixops/modules/mpd/default.nix b/nixops/modules/mpd/default.nix
index 7781b36..d59a34c 100644
--- a/nixops/modules/mpd/default.nix
+++ b/nixops/modules/mpd/default.nix
@@ -1,6 +1,12 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 {
   config = {
+    deployment.keys = {
+      mpd = {
+        permissions = "0400";
+        text = myconfig.env.mpd.password;
+      };
+    };
     networking.firewall.allowedTCPPorts = [ 6600 ];
     users.users.mpd.extraGroups = [ "wwwrun" ];
     services.mpd = {
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index d309287..fc5b48d 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -72,7 +72,14 @@ in {
       ++ ldap.apache.modules
       ++ kanboard.apache.modules;
 
-    services.ympd = ympd.config // { enable = true; };
+    systemd.services.ympd = {
+      description = "Standalone MPD Web GUI written in C";
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        export MPD_PASSWORD=$(cat /run/keys/mpd)
+        ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
+        '';
+    };
 
     services.myWebsites.integration.vhostConfs.devtools = {
       certName    = "eldiron";
@@ -239,7 +246,9 @@ in {
       '';
 
     nixpkgs.overlays = [ (self: super: rec {
-      ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json);
+      ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json // {
+        patches = (old.patches or []) ++ [ ./ympd-password-env.patch ];
+      });
     }) ];
 
     systemd.services.tt-rss = {
diff --git a/nixops/modules/websites/tools/tools/ympd-password-env.patch b/nixops/modules/websites/tools/tools/ympd-password-env.patch
new file mode 100644
index 0000000..2bbe188
--- /dev/null
+++ b/nixops/modules/websites/tools/tools/ympd-password-env.patch
@@ -0,0 +1,23 @@
+diff --git a/src/ympd.c b/src/ympd.c
+index 3aed7e6..b3b6fda 100644
+--- a/src/ympd.c
++++ b/src/ympd.c
+@@ -71,6 +71,7 @@ int main(int argc, char **argv)
+     char *run_as_user = NULL;
+     char const *error_msg = NULL;
+     char *webport = "8080";
++    const char *s;
+ 
+     atexit(bye);
+ #ifdef WITH_DYNAMIC_ASSETS
+@@ -92,6 +93,10 @@ int main(int argc, char **argv)
+         {0,              0,                 0,  0 }
+     };
+ 
++    if ((s = getenv("MPD_PASSWORD")) != NULL) {
++        mpd.password = strdup(s);
++    }
++
+     while((n = getopt_long(argc, argv, "h:p:w:u:vm:",
+                 long_options, &option_index)) != -1) {
+         switch (n) {
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix
index 613a171..82d9321 100644
--- a/nixops/modules/websites/tools/tools/ympd.nix
+++ b/nixops/modules/websites/tools/tools/ympd.nix
@@ -3,10 +3,8 @@ let
   ympd = rec {
     config = {
       webPort = "localhost:${env.listenPort}";
-      mpd = {
-        host = "${env.mpd.host} --mpdpass ${env.mpd.password}";
-        port = env.mpd.port;
-      };
+      host = env.mpd.host;
+      port = env.mpd.port;
     };
     apache = {
       modules = [
-- 
2.41.0