From 8db8e666707a0e51af9353c76c5863e1a5482ed5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 25 Apr 2019 09:26:26 +0200 Subject: [PATCH] Move tools to new secrets location --- nixops/modules/secrets/default.nix | 13 ------------- nixops/modules/websites/default.nix | 7 ++++--- nixops/modules/websites/tools/cloud/default.nix | 2 +- nixops/modules/websites/tools/cloud/nextcloud.nix | 8 ++++---- nixops/modules/websites/tools/dav/davical.nix | 12 ++++++------ nixops/modules/websites/tools/dav/default.nix | 2 +- nixops/modules/websites/tools/git/default.nix | 2 +- .../websites/tools/git/mantisbt/mantisbt.nix | 12 ++++++------ nixops/modules/websites/tools/tools/default.nix | 14 +++++++------- nixops/modules/websites/tools/tools/kanboard.nix | 12 ++++++------ nixops/modules/websites/tools/tools/ldap.nix | 12 ++++++------ .../modules/websites/tools/tools/roundcubemail.nix | 12 ++++++------ nixops/modules/websites/tools/tools/shaarli.nix | 8 ++++---- nixops/modules/websites/tools/tools/ttrss.nix | 12 ++++++------ nixops/modules/websites/tools/tools/wallabag.nix | 14 +++++++------- nixops/modules/websites/tools/tools/yourls.nix | 12 ++++++------ 16 files changed, 71 insertions(+), 83 deletions(-) diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix index 7096e48..8500088 100644 --- a/nixops/modules/secrets/default.nix +++ b/nixops/modules/secrets/default.nix @@ -8,20 +8,8 @@ }; }; config = let - oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys; keys = config.mySecrets.keys; empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; - dumpOldKey = k: v: let - dest = if v.destDir == "/run/keys" - then k - else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k; - in '' - mkdir -p secrets/$(dirname ${dest}) - echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest} - cat >> mods < secrets/${v.dest} @@ -32,7 +20,6 @@ secrets = pkgs.runCommand "secrets.tar" {} '' touch mods tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done - ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)} ${builtins.concatStringsSep "\n" (map dumpKey keys)} cat mods | while read u g p k; do tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index 927243b..b0bc7a4 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix @@ -229,7 +229,8 @@ in services.myWebsites.TellesFlorian.integration.enable = true; services.myWebsites.Florian.integration.enable = true; - deployment.keys.apache-ldap = { + mySecrets.keys = [{ + dest = "apache-ldap"; user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -245,7 +246,7 @@ in ''; - }; + }]; services.myWebsites.apacheConfig = { gzip = { @@ -284,7 +285,7 @@ in LDAPOpCacheTTL 600 - Include /run/keys/apache-ldap + Include /var/secrets/apache-ldap ''; }; global = { diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix index 7dd37f5..5c3e9a8 100644 --- a/nixops/modules/websites/tools/cloud/default.nix +++ b/nixops/modules/websites/tools/cloud/default.nix @@ -24,7 +24,7 @@ in { ]; }; - deployment.keys = nextcloud.keys; + mySecrets.keys = nextcloud.keys; users.users.root.packages = let occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} diff --git a/nixops/modules/websites/tools/cloud/nextcloud.nix b/nixops/modules/websites/tools/cloud/nextcloud.nix index b339038..b62606f 100644 --- a/nixops/modules/websites/tools/cloud/nextcloud.nix +++ b/nixops/modules/websites/tools/cloud/nextcloud.nix @@ -113,8 +113,8 @@ let }; in rec { varDir = "/var/lib/nextcloud"; - keys.tools-nextcloud = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-nextcloud"; user = apache.user; group = apache.group; permissions = "0600"; @@ -170,7 +170,7 @@ let 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', ); ''; - }; + }]; webRoot = stdenv.mkDerivation rec { name = "nextcloud-${version}"; version = "15.0.4"; @@ -204,7 +204,7 @@ let install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config - install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php + install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php ''; }; apache = rec { diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix index 89ba568..1e3893f 100644 --- a/nixops/modules/websites/tools/dav/davical.nix +++ b/nixops/modules/websites/tools/dav/davical.nix @@ -16,8 +16,8 @@ let ''; }; davical = rec { - keys."dav-davical" = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/dav-davical"; user = apache.user; group = apache.group; permissions = "0400"; @@ -74,7 +74,7 @@ let $c->do_not_sync_from_ldap = array('admin' => true); include('drivers_ldap.php'); ''; - }; + }]; webapp = stdenv.mkDerivation rec { version = "1.1.7"; name = "davical-${version}"; @@ -90,7 +90,7 @@ let installPhase = '' mkdir -p $out cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out - ln -s /run/keys/webapps/dav-davical $out/config/config.php + ln -s /var/secrets/webapps/dav-davical $out/config/config.php ''; buildInputs = [ gettext ]; }; @@ -137,8 +137,8 @@ let ''; }; phpFpm = rec { - serviceDeps = [ "postgresql.service" "openldap.service" "dav-davical-key.service" ]; - basedir = builtins.concatStringsSep ":" [ webapp "/run/keys/webapps/dav-davical" awl ]; + serviceDeps = [ "postgresql.service" "openldap.service" ]; + basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; socket = "/var/run/phpfpm/davical.sock"; pool = '' listen = ${socket} diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix index 56b3006..2a82a1d 100644 --- a/nixops/modules/websites/tools/dav/default.nix +++ b/nixops/modules/websites/tools/dav/default.nix @@ -14,7 +14,7 @@ in { config = lib.mkIf cfg.enable { security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null; - deployment.keys = davical.keys; + mySecrets.keys = davical.keys; services.myWebsites.tools.modules = davical.apache.modules; services.myWebsites.tools.vhostConfs.dav = { diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix index 28b3c2d..4a1457f 100644 --- a/nixops/modules/websites/tools/git/default.nix +++ b/nixops/modules/websites/tools/git/default.nix @@ -23,7 +23,7 @@ in { }); }) ]; - deployment.keys = mantisbt.keys; + mySecrets.keys = mantisbt.keys; services.myWebsites.tools.modules = gitweb.apache.modules ++ mantisbt.apache.modules; diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix index b564058..41c5e90 100644 --- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix +++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix @@ -17,8 +17,8 @@ let }); }; in rec { - keys."tools-mantisbt" = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-mantisbt"; user = apache.user; group = apache.group; permissions = "0400"; @@ -56,7 +56,7 @@ let $g_ldap_realname_field = 'cn'; $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)'; ''; - }; + }]; webRoot = stdenv.mkDerivation rec { name = "mantisbt-${version}"; version = "2.11.1"; @@ -72,7 +72,7 @@ let ]; installPhase = '' cp -a . $out - ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php + ln -s /var/secrets/webapps/tools-mantisbt $out/config/config_inc.php ln -s ${plugins.slack} $out/plugins/Slack ln -s ${plugins.source-integration}/Source* $out/plugins/ ''; @@ -102,9 +102,9 @@ let ''; }; phpFpm = rec { - serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ]; + serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/run/keys/webapps/tools-mantisbt" ] + [ webRoot "/var/secrets/webapps/tools-mantisbt" ] ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); socket = "/var/run/phpfpm/mantisbt.sock"; pool = '' diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index 463e059..9be9d5d 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix @@ -46,14 +46,14 @@ in { security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; - deployment.keys = + mySecrets.keys = kanboard.keys - // ldap.keys - // roundcubemail.keys - // shaarli.keys - // ttrss.keys - // wallabag.keys - // yourls.keys; + ++ ldap.keys + ++ roundcubemail.keys + ++ shaarli.keys + ++ ttrss.keys + ++ wallabag.keys + ++ yourls.keys; services.myWebsites.integration.modules = rainloop.apache.modules; diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix index dd5b18f..37cb8cc 100644 --- a/nixops/modules/websites/tools/tools/kanboard.nix +++ b/nixops/modules/websites/tools/tools/kanboard.nix @@ -10,8 +10,8 @@ rec { install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config ''; }; - keys.tools-kanboard = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-kanboard"; user = apache.user; group = apache.group; permissions = "0400"; @@ -37,12 +37,12 @@ rec { define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); ?> ''; - }; + }]; webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec { dontBuild = true; installPhase = '' cp -a . $out - ln -s /run/keys/webapps/tools-kanboard $out/config.php + ln -s /var/secrets/webapps/tools-kanboard $out/config.php mv $out/data $out/dataold ln -s ${varDir}/data $out/data ''; @@ -71,8 +71,8 @@ rec { ''; }; phpFpm = rec { - serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ]; - basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ]; + serviceDeps = [ "postgresql.service" "openldap.service" ]; + basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; socket = "/var/run/phpfpm/kanboard.sock"; pool = '' listen = ${socket} diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix index 623adb5..7c26b61 100644 --- a/nixops/modules/websites/tools/tools/ldap.nix +++ b/nixops/modules/websites/tools/tools/ldap.nix @@ -1,7 +1,7 @@ { lib, php, env, writeText, stdenv, optipng, fetchurl }: rec { - keys.tools-ldap = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-ldap"; user = apache.user; group = apache.group; permissions = "0400"; @@ -24,7 +24,7 @@ rec { $servers->setValue('login','attr','uid'); $servers->setValue('login','fallback_dn',true); ''; - }; + }]; webRoot = stdenv.mkDerivation rec { version = "1.2.3"; name = "phpldapadmin-${version}"; @@ -45,7 +45,7 @@ rec { ''; installPhase = '' cp -a . $out - ln -sf /run/keys/webapps/tools-ldap $out/config/config.php + ln -sf /var/secrets/webapps/tools-ldap $out/config/config.php ''; }; apache = rec { @@ -68,8 +68,8 @@ rec { ''; }; phpFpm = rec { - serviceDeps = [ "openldap.service" "tools-ldap-key.service" ]; - basedir = builtins.concatStringsSep ":" [ webRoot "/run/keys/webapps/tools-ldap" ]; + serviceDeps = [ "openldap.service" ]; + basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; socket = "/var/run/phpfpm/ldap.sock"; pool = '' listen = ${socket} diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix index 5fc3412..9939b77 100644 --- a/nixops/modules/websites/tools/tools/roundcubemail.nix +++ b/nixops/modules/websites/tools/tools/roundcubemail.nix @@ -78,8 +78,8 @@ let install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions ''; }; - keys.tools-roundcube = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-roundcube"; user = apache.user; group = apache.group; permissions = "0400"; @@ -136,7 +136,7 @@ let $config['temp_dir'] = '${varDir}/cache'; $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; ''; - }; + }]; webRoot = stdenv.mkDerivation rec { version = "1.4-rc1"; name = "roundcubemail-${version}"; @@ -154,7 +154,7 @@ let ''; installPhase = '' cp -a . $out - ln -s /run/keys/webapps/tools-roundcube $out/config/config.inc.php + ln -s /var/secrets/webapps/tools-roundcube $out/config/config.inc.php ${builtins.concatStringsSep "\n" ( lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins )} @@ -184,9 +184,9 @@ let ''; }; phpFpm = rec { - serviceDeps = [ "postgresql.service" "tools-roundcube-key.service" ]; + serviceDeps = [ "postgresql.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/run/keys/webapps/tools-roundcube" varDir ] + [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] ++ lib.attrsets.mapAttrsToList (name: value: value) plugins ++ lib.attrsets.mapAttrsToList (name: value: value) skins); phpConfig = '' diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix index 56658fd..19b27c2 100644 --- a/nixops/modules/websites/tools/tools/shaarli.nix +++ b/nixops/modules/websites/tools/tools/shaarli.nix @@ -49,7 +49,7 @@ in rec { vhostConf = '' Alias /Shaarli "${root}" - Include /run/keys/webapps/tools-shaarli + Include /var/secrets/webapps/tools-shaarli DirectoryIndex index.php index.htm index.html Options Indexes FollowSymLinks MultiViews Includes @@ -61,8 +61,8 @@ in rec { ''; }; - keys.tools-shaarli = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-shaarli"; user = apache.user; group = apache.group; permissions = "0400"; @@ -73,7 +73,7 @@ in rec { SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" ''; - }; + }]; phpFpm = rec { serviceDeps = [ "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix index 0fe94f9..e6cad56 100644 --- a/nixops/modules/websites/tools/tools/ttrss.nix +++ b/nixops/modules/websites/tools/tools/ttrss.nix @@ -52,8 +52,8 @@ let install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions ''; }; - keys.tools-ttrss = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-ttrss"; user = apache.user; group = apache.group; permissions = "0400"; @@ -120,7 +120,7 @@ let define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); define('LDAP_AUTH_DEBUG', FALSE); ''; - }; + }]; webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec { buildPhase = '' rm -rf lock feed-icons cache @@ -128,7 +128,7 @@ let ''; installPhase = '' cp -a . $out - ln -s /run/keys/webapps/tools-ttrss $out/config.php + ln -s /var/secrets/webapps/tools-ttrss $out/config.php ${builtins.concatStringsSep "\n" ( lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins )} @@ -155,9 +155,9 @@ let ''; }; phpFpm = rec { - serviceDeps = [ "postgresql.service" "openldap.service" "tools-ttrss-key.service" ]; + serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/run/keys/webapps/tools-ttrss" varDir ] + [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); socket = "/var/run/phpfpm/ttrss.sock"; pool = '' diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix index f145bf3..596b9bc 100644 --- a/nixops/modules/websites/tools/tools/wallabag.nix +++ b/nixops/modules/websites/tools/tools/wallabag.nix @@ -2,8 +2,8 @@ let wallabag = rec { varDir = "/var/lib/wallabag"; - keys.tools-wallabag = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-wallabag"; user = apache.user; group = apache.group; permissions = "0400"; @@ -65,7 +65,7 @@ let class: Swift_SendmailTransport arguments: ['/run/wrappers/bin/sendmail -bs'] ''; - }; + }]; webappDir = composerEnv.buildPackage rec { packages = { "fr3d/ldap-bundle" = { @@ -110,7 +110,7 @@ let ''; postInstall = '' rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data - ln -sf /run/keys/webapps/tools-wallabag app/config/parameters.yml + ln -sf /var/secrets/webapps/tools-wallabag app/config/parameters.yml ln -sf ${varDir}/var/{cache,logs,sessions} var ln -sf ${varDir}/data data ln -sf ${varDir}/assets web/assets @@ -171,11 +171,11 @@ let /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction popd > /dev/null echo -n "${webappDir}" > ${varDir}/currentWebappDir - sha512sum /run/keys/webapps/tools-wallabag > ${varDir}/currentKey + sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey fi ''; - serviceDeps = [ "postgresql.service" "openldap.service" "tools-wallabag-key.service" ]; - basedir = builtins.concatStringsSep ":" [ webappDir "/run/keys/webapps/tools-wallabag" varDir ]; + serviceDeps = [ "postgresql.service" "openldap.service" ]; + basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; socket = "/var/run/phpfpm/wallabag.sock"; pool = '' listen = ${socket} diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix index 390dabe..470fb7b 100644 --- a/nixops/modules/websites/tools/tools/yourls.nix +++ b/nixops/modules/websites/tools/tools/yourls.nix @@ -13,8 +13,8 @@ let activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls ''; - keys.tools-yourls = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-yourls"; user = apache.user; group = apache.group; permissions = "0400"; @@ -46,13 +46,13 @@ let define( 'LDAPAUTH_USERCACHE_TYPE', 0); ''; - }; + }]; webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec { installPhase = '' mkdir -p $out cp -a */ *.php $out/ cp sample-robots.txt $out/robots.txt - ln -sf /run/keys/webapps/tools-yourls $out/includes/config.php + ln -sf /var/secrets/webapps/tools-yourls $out/includes/config.php ${builtins.concatStringsSep "\n" ( lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins )} @@ -85,9 +85,9 @@ let ''; }; phpFpm = rec { - serviceDeps = [ "mysql.service" "openldap.service" "tools-yourls-key.service" ]; + serviceDeps = [ "mysql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/run/keys/webapps/tools-yourls" ] + [ webRoot "/var/secrets/webapps/tools-yourls" ] ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); socket = "/var/run/phpfpm/yourls.sock"; pool = '' -- 2.41.0