Fix secret permissions

[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / diaspora / diaspora.nix

diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix
index 798ebe6707d22a4b6245a8b3e0815710d3e7f77e..c7af9dab808f9107737316a369c83dfe16e1e764 100644 (file)
--- a/nixops/modules/websites/tools/diaspora/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -1,29 +1,49 @@
 { env, fetchedGithub, stdenv, defaultGemConfig, writeText, bundlerEnv, ruby_2_4, pkgs, cacert }:
 let
-  gems = bundlerEnv {
-    name = "diaspora-env";
-    ruby = ruby_2_4;
-    gemdir = ./.;
-    gemConfig = defaultGemConfig // {
-      kostya-sigar = attrs: {
-        buildInputs = with pkgs; [ pkgs.perl ];
-      };
-    };
-  };
   varDir = "/var/lib/diaspora_immae";
   socketsDir = "/run/diaspora";
   diaspora = stdenv.mkDerivation (fetchedGithub ./diaspora.json // rec {
     buildPhase = ''
       patch -p1 < ${./ldap.patch}
+      # FIXME: bundlerEnv below doesn't take postgresql group for some
+      # reason
+      echo 'gem "pg",     "1.1.3"' >> Gemfile
     '';
     installPhase = ''
       cp -a . $out
     '';
   });
-  secret_token = writeText "secret_token.rb" ''
-    Diaspora::Application.config.secret_key_base = '${env.secret_token}'
+  gems = bundlerEnv {
+    name = "diaspora-env";
+    # https://git.immae.eu/mantisbt/view.php?id=131
+    ruby = ruby_2_4.overrideAttrs(old: {
+      postInstall = builtins.replaceStrings [" --destdir $GEM_HOME"] [""] old.postInstall;
+    });
+    gemfile = "${diaspora}/Gemfile";
+    lockfile = "${diaspora}/Gemfile.lock";
+    gemset = ./gemset.nix;
+    groups = [ "postgresql" "default" "production" ];
+    gemConfig = defaultGemConfig // {
+      kostya-sigar = attrs: {
+        buildInputs = [ pkgs.perl ];
+      };
+    };
+  };
+  keys.tools-diaspora-secret_token = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0400";
+    text = ''
+      Diaspora::Application.config.secret_key_base = '${env.secret_token}'
     '';
-  config = writeText "diaspora.yml" ''
+  };
+  keys.tools-diaspora-config = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0400";
+    text = ''
       configuration:
         environment:
           url: "https://diaspora.immae.eu/"
@@ -68,14 +88,14 @@ let
           wordpress:
         mail:
           enable: true
-          sender_address: 'diaspora@immae.eu'
-          method: 'smtp'
+          sender_address: 'diaspora@tools.immae.eu'
+          method: 'sendmail'
           smtp:
-            host: 'mail.immae.eu'
           sendmail:
+            location: '/run/wrappers/bin/sendmail'
         admins:
           account: "ismael"
-          podmin_email: 'diaspora@immae.eu'
+          podmin_email: 'diaspora@tools.immae.eu'
         relay:
           outbound:
           inbound:
@@ -96,12 +116,18 @@ let
       development:
         environment:
     '';
-  database_config = writeText "database.yml" ''
+  };
+  keys.tools-diaspora-database_config = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0400";
+    text = ''
       postgresql: &postgresql
         adapter: postgresql
-        host: db-1.immae.eu
-        port: 5432
-        username: "diaspora"
+        host: "${env.postgresql.socket}"
+        port: "${env.postgresql.port}"
+        username: "${env.postgresql.user}"
         password: "${env.postgresql.password}"
         encoding: unicode
       common: &common
@@ -113,7 +139,7 @@ let
         database: diaspora_development
       production:
         <<: *combined
-        database: diaspora
+        database: ${env.postgresql.database}
       test:
         <<: *combined
         database: "diaspora_test"
@@ -124,31 +150,35 @@ let
         <<: *combined
         database: diaspora_integration2
     '';
-
+  };
     railsRoot = stdenv.mkDerivation {
       name = "diaspora_immae";
       inherit diaspora;
+      # FIXME: build machine will contain some passwords in the nix store
       builder = writeText "build_diaspora_immae" ''
         source $stdenv/setup
         cp -a $diaspora $out
         cd $out
         chmod -R u+rwX .
         tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}
-        ln -s ${database_config} config/database.yml
-        ln -s ${config} config/diaspora.yml
-        ln -s ${secret_token} config/initializers/secret_token.rb
-        ln -sf ../../../../../../${varDir}/schedule.yml config/schedule.yml
-        ln -sf ../../../../../../${varDir}/oidc_key.pem config/oidc_key.pem
-        ln -sf ../../../../../../${varDir}/uploads public/uploads
+        ln -s ${writeText "database.yml" keys.tools-diaspora-database_config.text} config/database.yml
+        ln -s ${writeText "diaspora.yml" keys.tools-diaspora-config.text} config/diaspora.yml
+        ln -s ${writeText "secret_token.rb" keys.tools-diaspora-secret_token.text} config/initializers/secret_token.rb
+        ln -sf ${varDir}/schedule.yml config/schedule.yml
+        ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem
+        ln -sf ${varDir}/uploads public/uploads
         RAILS_ENV=production ${gems}/bin/rake assets:precompile
+        ln -sf /run/keys/webapps/tools-diaspora-database_config config/database.yml
+        ln -sf /run/keys/webapps/tools-diaspora-config config/diaspora.yml
+        ln -sf /run/keys/webapps/tools-diaspora-secret_token config/initializers/secret_token.rb
         rm -rf tmp log
-        ln -sf ../../../../../${varDir}/tmp tmp
-        ln -sf ../../../../../${varDir}/log log
+        ln -sf ${varDir}/tmp tmp
+        ln -sf ${varDir}/log log
         '';
       propagatedBuildInputs = [ gems pkgs.nodejs pkgs.which pkgs.git ];
     };
 in
   {
-    inherit railsRoot varDir socketsDir gems;
+    inherit railsRoot varDir socketsDir gems keys;
     railsSocket = "${socketsDir}/diaspora.sock";
   }