Move csp report credentials out of the store

author Ismaël Bouya <ismael.bouya@normalesup.org>

Fri, 29 Jan 2021 23:41:57 +0000 (00:41 +0100)

committer Ismaël Bouya <ismael.bouya@normalesup.org>

Fri, 29 Jan 2021 23:41:57 +0000 (00:41 +0100)
author Ismaël Bouya <ismael.bouya@normalesup.org>
Fri, 29 Jan 2021 23:41:57 +0000 (00:41 +0100)
committer Ismaël Bouya <ismael.bouya@normalesup.org>
Fri, 29 Jan 2021 23:41:57 +0000 (00:41 +0100)
diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix

new file mode 100644 (file)

index 0000000..4660251
--- /dev/null
+++ b/modules/private/websites/tools/tools/csp_reports.nix
@@ -0,0 +1,12 @@
+{ env }:
+rec {
+  keys = [{
+    dest = "webapps/tools-csp-reports.conf";
+    user = "wwwrun";
+    group = "wwwrun";
+    permissions = "0400";
+    text = with env.postgresql; ''
+      env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}"
+    '';
+  }];
+}
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix

index 1e30eed4affaf0770ba0d6d91d5054106c93509e..7903ca55984a51d997d773510e30dbe154796e33 100644 (file)
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -55,6 +55,9 @@ let
    dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
      env = config.myEnv.tools.dmarc_reports;
    };
+  csp-reports = pkgs.callPackage ./csp_reports.nix {
+    env = config.myEnv.tools.csp_reports;
+  };
  
    landing = pkgs.callPackage ./landing.nix {};
  
@@ -74,6 +77,7 @@ in {
        ++ wallabag.keys
        ++ yourls.keys
        ++ dmarc-reports.keys
+      ++ csp-reports.keys
        ++ webhooks.keys;
  
      services.duplyBackup.profiles = {
@@ -302,11 +306,10 @@ in {
              "/run/wrappers/bin/sendmail" landing "/tmp"
              "${config.secrets.location}/webapps/webhooks"
            ];
+          "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf";
          };
          phpEnv = {
            CONTACT_EMAIL = config.myEnv.tools.contact;
-          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
-            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
          };
          phpPackage = pkgs.php72;
        };
diff --git a/nixops/secrets b/nixops/secrets

index 1b3be53dd5e79ba1af9207aff17486a0558a40a5..d3e1cb5463246bbf7b42a0fc3bf542d24c4597b8 160000 (submodule)
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit 1b3be53dd5e79ba1af9207aff17486a0558a40a5
+Subproject commit d3e1cb5463246bbf7b42a0fc3bf542d24c4597b8
author	Ismaël Bouya <ismael.bouya@normalesup.org>
	Fri, 29 Jan 2021 23:41:57 +0000 (00:41 +0100)
committer	Ismaël Bouya <ismael.bouya@normalesup.org>
	Fri, 29 Jan 2021 23:41:57 +0000 (00:41 +0100)
modules/private/websites/tools/tools/csp_reports.nix	[new file with mode: 0644]	patch \| blob
modules/private/websites/tools/tools/default.nix		patch \| blob \| blame \| history
nixops/secrets		patch \| blob \| blame \| history