]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/websites/tools/tools/default.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Use attrs for secrets instead of lists
[perso/Immae/Config/Nix.git] / modules / private / websites / tools / tools / default.nix
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 1e30eed4affaf0770ba0d6d91d5054106c93509e..1f499fbb76abd2b9e2cb08e615bbd258b7d31f99 100644 (file)
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -1,5 +1,7 @@
 { lib, pkgs, config, ... }:
 let
+  flakeCompat = import ../../../../../lib/flake-compat.nix;
+
   adminer = pkgs.callPackage ./adminer.nix {
     inherit (pkgs.webapps) adminer;
   };
@@ -10,8 +12,10 @@ let
     inherit (pkgs.webapps) ttrss ttrss-plugins;
     env = config.myEnv.tools.ttrss;
     php = pkgs.php72;
+    inherit config;
   };
   kanboard = pkgs.callPackage ./kanboard.nix  {
+    inherit config;
     env = config.myEnv.tools.kanboard;
   };
   wallabag = pkgs.callPackage ./wallabag.nix {
@@ -21,10 +25,12 @@ let
       };
     };
     env = config.myEnv.tools.wallabag;
+    inherit config;
   };
   yourls = pkgs.callPackage ./yourls.nix {
     inherit (pkgs.webapps) yourls yourls-plugins;
     env = config.myEnv.tools.yourls;
+    inherit config;
   };
   rompr = pkgs.callPackage ./rompr.nix {
     inherit (pkgs.webapps) rompr;
@@ -32,6 +38,7 @@ let
   };
   shaarli = pkgs.callPackage ./shaarli.nix {
     env = config.myEnv.tools.shaarli;
+    inherit config;
   };
   dokuwiki = pkgs.callPackage ./dokuwiki.nix {
     inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
@@ -39,6 +46,7 @@ let
   ldap = pkgs.callPackage ./ldap.nix {
     inherit (pkgs.webapps) phpldapadmin;
     env = config.myEnv.tools.phpldapadmin;
+    inherit config;
   };
   grocy = pkgs.callPackage ./grocy.nix {
     grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; };
@@ -54,6 +62,10 @@ let
   };
   dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
     env = config.myEnv.tools.dmarc_reports;
+    inherit config;
+  };
+  csp-reports = pkgs.callPackage ./csp_reports.nix {
+    env = config.myEnv.tools.csp_reports;
   };
 
   landing = pkgs.callPackage ./landing.nix {};
@@ -61,6 +73,9 @@ let
   cfg = config.myServices.websites.tools.tools;
   pcfg = config.services.phpfpm.pools;
 in {
+  imports =
+    builtins.attrValues (flakeCompat ../../../../../flakes/private/paste).nixosModules;
+
   options.myServices.websites.tools.tools = {
     enable = lib.mkEnableOption "enable tools website";
   };
@@ -68,13 +83,14 @@ in {
   config = lib.mkIf cfg.enable {
     secrets.keys =
       kanboard.keys
-      ++ ldap.keys
-      ++ shaarli.keys
-      ++ ttrss.keys
-      ++ wallabag.keys
-      ++ yourls.keys
-      ++ dmarc-reports.keys
-      ++ webhooks.keys;
+      // ldap.keys
+      // shaarli.keys
+      // ttrss.keys
+      // wallabag.keys
+      // yourls.keys
+      // dmarc-reports.keys
+      // csp-reports.keys
+      // webhooks.keys;
 
     services.duplyBackup.profiles = {
       dokuwiki = dokuwiki.backups;
@@ -110,6 +126,7 @@ in {
       root         = "/var/lib/ftp/devtools.immae.eu";
       extraConfig  = [
         ''
+          Use Apaxy "/var/lib/ftp/devtools.immae.eu" "title"
           Timeout 600
           ProxyTimeout 600
           Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
@@ -160,13 +177,16 @@ in {
         (phpbb.apache.vhostConf pcfg.phpbb.socket)
         (dmarc-reports.apache.vhostConf pcfg.dmarc-reports.socket)
         ''
-          Alias /paste /var/lib/fiche
-          <Directory "/var/lib/fiche">
-            DirectoryIndex index.txt index.html
-            AllowOverride None
-            Require all granted
-            Options -Indexes
-          </Directory>
+          <Location "/paste/">
+            ProxyPass unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+            ProxyPassReverse unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+            ProxyPreserveHost on
+          </Location>
+          <Location "/paste">
+            ProxyPass unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+            ProxyPassReverse unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+            ProxyPreserveHost on
+          </Location>
 
           Alias /BIP39 /var/lib/buildbot/outputs/immae/bip39
           <Directory "/var/lib/buildbot/outputs/immae/bip39">
@@ -175,8 +195,8 @@ in {
             Require all granted
           </Directory>
 
-          Alias /webhooks ${config.secrets.location}/webapps/webhooks
-          <Directory "${config.secrets.location}/webapps/webhooks">
+          Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"}
+          <Directory "${config.secrets.fullPaths."webapps/webhooks"}">
             Options -Indexes
             Require all granted
             AllowOverride None
@@ -258,7 +278,7 @@ in {
         description = "Standalone MPD Web GUI written in C";
         wantedBy = [ "multi-user.target" ];
         script = ''
-          export MPD_PASSWORD=$(cat /var/secrets/mpd)
+          export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"})
           ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
           '';
       };
@@ -280,7 +300,7 @@ in {
 
     services.filesWatcher.ympd = {
       restart = true;
-      paths = [ "/var/secrets/mpd" ];
+      paths = [ config.secrets.fullPaths."mpd" ];
     };
 
     services.phpfpm.pools = {
@@ -300,13 +320,12 @@ in {
           "php_value[session.name]" = "ToolsPHPSESSID";
           "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
             "/run/wrappers/bin/sendmail" landing "/tmp"
-            "${config.secrets.location}/webapps/webhooks"
+            config.secrets.fullPaths."webapps/webhooks"
           ];
+          "include" = config.secrets.fullPaths."webapps/tools-csp-reports.conf";
         };
         phpEnv = {
           CONTACT_EMAIL = config.myEnv.tools.contact;
-          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
-            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
         };
         phpPackage = pkgs.php72;
       };
@@ -426,19 +445,13 @@ in {
     };
 
     services.websites.env.tools.watchPaths = [
-      "/var/secrets/webapps/tools-shaarli"
+      config.secrets.fullPaths."webapps/tools-shaarli"
     ];
     services.filesWatcher.phpfpm-wallabag = {
       restart = true;
-      paths = [ "/var/secrets/webapps/tools-wallabag" ];
+      paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ];
     };
 
-    services.fiche = {
-      enable = true;
-      port = config.myEnv.ports.fiche;
-      domain = "tools.immae.eu/paste";
-      https = true;
-    };
   };
 }
 
My infrastructure configuration