Fix secret permissions

[perso/Immae/Config/Nix.git] / nixops / modules / websites / tellesflorian / tellesflorian.nix

diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix
index 4237af859532d874c5823576e73cd61786e85101..a8e741e85dcd3e88755218867be5e31f3ffb6f3d 100644 (file)
--- a/nixops/modules/websites/tellesflorian/tellesflorian.nix
+++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix
@@ -3,22 +3,32 @@ let
   tellesflorian = { config }: rec {
     environment = config.environment;
     varDir = "/var/lib/tellesflorian_${environment}";
-    configRoot =
-      writeText "parameters.yml" ''
+    keys."${environment}-tellesflorian" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0400";
+      text = ''
         # This file is auto-generated during the composer install
         parameters:
-            database_host: db-1.immae.eu
-            database_port: null
+            database_host: ${config.mysql.host}
+            database_port: ${config.mysql.port}
             database_name: ${config.mysql.name}
             database_user: ${config.mysql.user}
             database_password: ${config.mysql.password}
             mailer_transport: smtp
-            mailer_host: mail.immae.eu
+            mailer_host: 127.0.0.1
             mailer_user: null
             mailer_password: null
             secret: ${config.secret}
       '';
+    };
     phpFpm = rec {
+      serviceDeps = [
+        "mysql.service"
+        "${environment}-tellesflorian-passwords-key.service"
+        "${environment}-tellesflorian-key.service"
+      ];
       socket = "/var/run/phpfpm/floriantelles-${environment}.sock";
       pool = ''
         listen = ${socket}
@@ -29,7 +39,7 @@ let
         php_admin_value[upload_max_filesize] = 20M
         php_admin_value[post_max_size] = 20M
         ;php_admin_flag[log_errors] = on
-        php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp"
+        php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp"
         php_admin_value[session.save_path] = "${varDir}/phpSessions"
         ${if environment == "dev" then ''
         pm = ondemand
@@ -44,13 +54,21 @@ let
         pm.max_spare_servers = 3
         ''}'';
     };
-    passwords = writeText "tellesflorian_passwords" ''
-      invite:${config.invite_passwords}
+    keys."${environment}-tellesflorian-passwords" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0400";
+      text = ''
+        invite:${config.invite_passwords}
       '';
-    apache = {
+    };
+    apache = rec {
       user = "wwwrun";
       group = "wwwrun";
       modules = [ "proxy_fcgi" ];
+      webappName = "florian_${environment}";
+      root = "/run/current-system/webapps/${webappName}";
       vhostConf = ''
       <FilesMatch "\.php$">
         SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
@@ -62,13 +80,13 @@ let
         Use LDAPConnect
         Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
 
-        AuthUserFile "${passwords}"
+        AuthUserFile "/run/keys/webapps/${environment}-tellesflorian-passwords"
         Require user "invite"
 
         ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
       </Location>
 
-      <Directory ${webRoot}>
+      <Directory ${root}>
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride None
         Require all granted
@@ -109,7 +127,7 @@ let
 
       </Directory>
       '' else ''
-      <Directory ${webRoot}>
+      <Directory ${root}>
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride All
         Require all granted
@@ -143,9 +161,9 @@ let
         postInstall = ''
           cd $out
           rm app/config/parameters.yml
-          ln -sf ${configRoot} app/config/parameters.yml
+          ln -sf /run/keys/webapps/${environment}-tellesflorian app/config/parameters.yml
           rm -rf var/{logs,cache}
-          ln -sf ../../../../../../${varDir}/var/{logs,cache,sessions} var/
+          ln -sf ${varDir}/var/{logs,cache,sessions} var/
           '';
       });
     webRoot = "${webappDir}/web";