]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - nixops/modules/websites/tools/tools/kanboard.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix secret permissions
[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / tools / kanboard.nix
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
index 8408ffa56185f5dfe1747fada5be011971d69b71..dd5b18f7a0e4c49f276848a5736cf2445832b112 100644 (file)
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ b/nixops/modules/websites/tools/tools/kanboard.nix
@@ -10,33 +10,39 @@ rec {
       install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
     '';
   };
-  config = writeText "config.php" ''
-    <?php
-    define('MAIL_FROM', 'kanboard@tools.immae.eu');
+  keys.tools-kanboard = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      define('MAIL_FROM', 'kanboard@tools.immae.eu');
 
-    define('DB_DRIVER', 'postgres');
-    define('DB_USERNAME', '${env.postgresql.user}');
-    define('DB_PASSWORD', '${env.postgresql.password}');
-    define('DB_HOSTNAME', '${env.postgresql.socket}');
-    define('DB_NAME', '${env.postgresql.database}');
+      define('DB_DRIVER', 'postgres');
+      define('DB_USERNAME', '${env.postgresql.user}');
+      define('DB_PASSWORD', '${env.postgresql.password}');
+      define('DB_HOSTNAME', '${env.postgresql.socket}');
+      define('DB_NAME', '${env.postgresql.database}');
 
-    define('LDAP_AUTH', true);
-    define('LDAP_SERVER', '${env.ldap.host}');
-    define('LDAP_START_TLS', true);
+      define('LDAP_AUTH', true);
+      define('LDAP_SERVER', '${env.ldap.host}');
+      define('LDAP_START_TLS', true);
 
-    define('LDAP_BIND_TYPE', 'proxy');
-    define('LDAP_USERNAME', '${env.ldap.dn}');
-    define('LDAP_PASSWORD', '${env.ldap.password}');
-    define('LDAP_USER_BASE_DN', '${env.ldap.base}');
-    define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
-    define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
-    ?>
-    '';
+      define('LDAP_BIND_TYPE', 'proxy');
+      define('LDAP_USERNAME', '${env.ldap.dn}');
+      define('LDAP_PASSWORD', '${env.ldap.password}');
+      define('LDAP_USER_BASE_DN', '${env.ldap.base}');
+      define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
+      define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
+      ?>
+      '';
+  };
   webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec {
     dontBuild = true;
     installPhase = ''
       cp -a . $out
-      ln -s ${config} $out/config.php
+      ln -s /run/keys/webapps/tools-kanboard $out/config.php
       mv $out/data $out/dataold
       ln -s ${varDir}/data $out/data
       '';
@@ -65,7 +71,8 @@ rec {
       '';
   };
   phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir config ];
+    serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ];
     socket = "/var/run/phpfpm/kanboard.sock";
     pool = ''
       listen = ${socket}
My infrastructure configuration