Move etherpad and mediagoblin keys to secure location

[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / ether / default.nix

diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix
index c4a9932556bbc3b51c19682d0e237e0a1d038ed8..6d845ac464275c80b10b3183d3b8f947372e0117 100644 (file)
--- a/nixops/modules/websites/tools/ether/default.nix
+++ b/nixops/modules/websites/tools/ether/default.nix
@@ -12,11 +12,12 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    deployment.keys = etherpad.keys;
     systemd.services.etherpad-lite = {
       description = "Etherpad-lite";
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "postgresql.service" ];
-      wants = [ "postgresql.service" ];
+      after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ];
+      wants = [ "postgresql.service" "tools-etherpad-key.service" ];
 
       environment.NODE_ENV = "production";
       environment.HOME = etherpad.webappDir;
@@ -25,13 +26,14 @@ in {
 
       script = ''
         exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
-          --settings ${etherpad.config}
+          --settings /run/keys/webapps/tools-etherpad
       '';
 
       serviceConfig = {
         DynamicUser = true;
         User = "etherpad-lite";
         Group = "etherpad-lite";
+        SupplementaryGroups = "keys";
         WorkingDirectory = etherpad.webappDir;
         PrivateTmp = true;
         NoNewPrivileges = true;
@@ -42,6 +44,7 @@ in {
         Restart = "always";
         Type = "simple";
         TimeoutSec = 60;
+        ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad";
       };
     };