Fix secret permissions

[perso/Immae/Config/Nix.git] / nixops / modules / websites / aten / aten.nix

diff --git a/nixops/modules/websites/aten/aten.nix b/nixops/modules/websites/aten/aten.nix
index f986ec12e4a0a14a2b09a53339f7fa0c453a0d43..6059eb6b85fd64eb07ae1d59c0054b1be88c9d83 100644 (file)
--- a/nixops/modules/websites/aten/aten.nix
+++ b/nixops/modules/websites/aten/aten.nix
@@ -1,9 +1,10 @@
-{ lib, writeText, fetchedGitPrivate, stdenv, composerEnv, fetchurl, fetchgit, python, nodejs, libsass, yarn2nix }:
+{ lib, writeText, fetchedGitPrivate, stdenv, runCommand, composerEnv, fetchurl, fetchgit, jq, python, nodejs, libsass, yarn2nixPackage }:
 let
   aten = { config }: rec {
     environment = config.environment;
     varDir = "/var/lib/aten_${environment}";
     phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "${environment}-aten-key.service" ];
       socket = "/var/run/phpfpm/aten-${environment}.sock";
       pool = ''
         listen = ${socket}
@@ -29,6 +30,17 @@ let
         pm.max_spare_servers = 3
         ''}'';
     };
+    keys."${environment}-aten" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0400";
+      text = ''
+        SetEnv APP_ENV      "${environment}"
+        SetEnv APP_SECRET   "${config.secret}"
+        SetEnv DATABASE_URL "${config.psql_url}"
+        '';
+    };
     apache = rec {
       user = "wwwrun";
       group = "wwwrun";
@@ -40,9 +52,7 @@ let
         SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
       </FilesMatch>
 
-      SetEnv APP_ENV      "${environment}"
-      SetEnv APP_SECRET   "${config.secret}"
-      SetEnv DATABASE_URL "${config.psql_url}"
+      Include /run/keys/webapps/${environment}-aten
 
       ${if environment == "dev" then ''
       <Location />
@@ -66,7 +76,7 @@ let
       </Location>
       ''}
 
-      <Directory ${if environment == "dev" then root else webRoot}>
+      <Directory ${root}>
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride All
         Require all granted
@@ -91,10 +101,15 @@ let
     };
     yarnModules = let
         info = fetchedGitPrivate ./aten.json;
+        packagejson = runCommand "package.json" { buildInputs = [ jq ]; } ''
+          cat ${info.src}/package.json | jq -r '.version = "v1.0.0"|.name="aten"' > $out
+          '';
       in
-        yarn2nix.mkYarnModules {
-          name = "aten-yarn-modules";
-          packageJSON = "${info.src}/package.json";
+        yarn2nixPackage.mkYarnModules rec {
+          name = "aten-yarn";
+          pname = name;
+          version = "v1.0.0";
+          packageJSON = packagejson;
           yarnLock = "${info.src}/yarn.lock";
           pkgConfig = {
             node-sass = {
@@ -102,7 +117,7 @@ let
               postInstall = let
                 nodeHeaders = fetchurl {
                   url = "https://nodejs.org/download/release/v${nodejs.version}/node-v${nodejs.version}-headers.tar.gz";
-                  sha256 = "12zzsf8my43b8qnlacp871ih5vqafl2vlpqp51xp6h3gckn2frwy";
+                  sha256 = "16f20ya3ys6w5w6y6l4536f7jrgk4gz46bf71w1r1xxb26a54m32";
                 };
               in
                 ''
@@ -119,17 +134,14 @@ let
         preInstall = ''
           export SYMFONY_ENV="${environment}"
           export APP_ENV="${environment}"
-          export DATABASE_URL="${config.psql_url}"
-          export APP_SECRET="${config.secret}"
           '';
         postInstall = ''
-          cd $out
           ln -sf ${yarnModules}/node_modules .
           yarn run --offline encore production
           rm -rf var/{log,cache}
-          ln -sf ../../../../../../../${varDir}/{log,cache} var/
+          ln -sf ${varDir}/{log,cache} var/
           '';
-        buildInputs = [ yarnModules yarn2nix yarn2nix.yarn ];
+        buildInputs = [ yarnModules yarn2nixPackage.yarn ];
       });
     webRoot = "${webappDir}/public";
   };