Fix secret permissions

[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / tools / shaarli.nix

diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 0f6b4605de1d595d8d3d9f6acb8b0a4d45ad1aac..56658fd482dc5fe07837fcc8ede9b4849312de42 100644 (file)
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -49,13 +49,8 @@ in rec {
     vhostConf = ''
       Alias /Shaarli "${root}"
 
+      Include /run/keys/webapps/tools-shaarli
       <Directory "${root}">
-        SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
-        SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
-        SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
-        SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
-        SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
-
         DirectoryIndex index.php index.htm index.html
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride All
@@ -66,7 +61,21 @@ in rec {
       </Directory>
       '';
   };
+  keys.tools-shaarli = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
+      SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
+      SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
+      SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
+      SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
+      '';
+  };
   phpFpm = rec {
+    serviceDeps = [ "openldap.service" ];
     basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
     socket = "/var/run/phpfpm/shaarli.sock";
     pool = ''