From 5f08b34c5247ee0c4de2a9264d059b69271e3473 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 15 Apr 2019 01:17:31 +0200 Subject: [PATCH] Move shaarli passwords to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- nixops/modules/websites/phpfpm/default.nix | 13 +++++++++++ .../modules/websites/tools/tools/default.nix | 6 +++++ .../modules/websites/tools/tools/shaarli.nix | 22 ++++++++++++++----- 3 files changed, 35 insertions(+), 6 deletions(-) diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix index 882babc..9c068bf 100644 --- a/nixops/modules/websites/phpfpm/default.nix +++ b/nixops/modules/websites/phpfpm/default.nix @@ -83,6 +83,18 @@ in { ''; }; + envFile = mkOption { + default = {}; + type = types.attrsOf types.string; + example = literalExample '' + { mypool = "path/to/file"; + } + ''; + description = '' + Extra environment file go into the service script. + ''; + }; + poolPhpConfigs = mkOption { default = {}; type = types.attrsOf types.lines; @@ -174,6 +186,7 @@ in { cfgFile = fpmCfgFile pool poolConfig; poolPhpIni = cfg.poolPhpConfigs.${pool} or ""; in { + EnvironmentFile = if builtins.hasAttr pool cfg.envFile then [cfg.envFile.${pool}] else []; Slice = "phpfpm.slice"; PrivateDevices = true; ProtectSystem = "full"; diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index 3d5465f..31ed035 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix @@ -50,6 +50,7 @@ in { kanboard.keys // ldap.keys // roundcubemail.keys + // shaarli.keys // ttrss.keys // wallabag.keys // yourls.keys; @@ -137,12 +138,17 @@ in { ]; }; + services.myPhpfpm.envFile = { + shaarli = shaarli.phpFpm.envFile; + }; + services.myPhpfpm.serviceDependencies = { dokuwiki = dokuwiki.phpFpm.serviceDeps; kanboard = kanboard.phpFpm.serviceDeps; ldap = ldap.phpFpm.serviceDeps; rainloop = rainloop.phpFpm.serviceDeps; roundcubemail = roundcubemail.phpFpm.serviceDeps; + shaarli = shaarli.phpFpm.serviceDeps; ttrss = ttrss.phpFpm.serviceDeps; wallabag = wallabag.phpFpm.serviceDeps; yourls = yourls.phpFpm.serviceDeps; diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix index 0f6b460..157c4de 100644 --- a/nixops/modules/websites/tools/tools/shaarli.nix +++ b/nixops/modules/websites/tools/tools/shaarli.nix @@ -50,12 +50,6 @@ in rec { Alias /Shaarli "${root}" - SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}" - SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}" - SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}" - SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" - SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" - DirectoryIndex index.php index.htm index.html Options Indexes FollowSymLinks MultiViews Includes AllowOverride All @@ -66,7 +60,22 @@ in rec { ''; }; + keys.tools-shaarli = { + destDir = "/run/keys/webapps"; + user = apache.user; + group = apache.group; + permissions = "0700"; + text = '' + SHAARLI_LDAP_PASSWORD="${env.ldap.password}" + SHAARLI_LDAP_DN="${env.ldap.dn}" + SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}" + SHAARLI_LDAP_BASE="${env.ldap.base}" + SHAARLI_LDAP_FILTER="${env.ldap.search}" + ''; + }; phpFpm = rec { + serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ]; + envFile = "/run/keys/webapps/tools-shaarli"; basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; socket = "/var/run/phpfpm/shaarli.sock"; pool = '' @@ -78,6 +87,7 @@ in rec { pm = ondemand pm.max_children = 60 pm.process_idle_timeout = 60 + clear_env = no ; Needed to avoid clashes in browser cookies (same domain) php_value[session.name] = ShaarliPHPSESSID -- 2.41.0