};
config = lib.mkIf cfg.enable {
- deployment.keys.tools-taskwarrior-web = {
- destDir = "/run/keys/webapps";
+ mySecrets.keys = [{
+ dest = "webapps/tools-taskwarrior-web";
user = "wwwrun";
group = "wwwrun";
permissions = "0400";
SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
'';
- };
+ }];
security.acme.certs."eldiron".extraDomains.${fqdn} = null;
services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ];
services.myWebsites.tools.vhostConfs.task = {
<FilesMatch "\.php$">
SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
</FilesMatch>
- Include /run/keys/webapps/tools-taskwarrior-web
+ Include /var/secrets/webapps/tools-taskwarrior-web
</Directory>
''
''
};
config = lib.mkIf cfg.enable {
- deployment.keys = etherpad.keys;
+ mySecrets.keys = etherpad.keys;
systemd.services.etherpad-lite = {
description = "Etherpad-lite";
wantedBy = [ "multi-user.target" ];
- after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
- wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
+ after = [ "network.target" "postgresql.service" ];
+ wants = [ "postgresql.service" ];
environment.NODE_ENV = "production";
environment.HOME = etherpad.webappDir;
script = ''
exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
- --settings /run/keys/webapps/tools-etherpad
+ --settings /var/secrets/webapps/tools-etherpad
'';
serviceConfig = {
Restart = "always";
Type = "simple";
TimeoutSec = 60;
- ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey";
+ ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey";
};
};
"ep_subscript_and_superscript"
"ep_timesliderdiff"
];
- keys = {
- tools-etherpad-apikey = {
- destDir = "/run/keys/webapps";
+ keys = [
+ {
+ dest = "webapps/tools-etherpad-apikey";
permissions = "0400";
text = env.api_key;
- };
- tools-etherpad-sessionkey = {
- destDir = "/run/keys/webapps";
+ }
+ {
+ dest = "webapps/tools-etherpad-sessionkey";
permissions = "0400";
text = env.session_key;
- };
- tools-etherpad = {
- destDir = "/run/keys/webapps";
+ }
+ {
+ dest = "webapps/tools-etherpad";
permissions = "0400";
text =
# Make sure we’re not rebuilding whole libreoffice just because of a
"logconfig" : { "appenders": [ { "type": "console" } ] }
}
'';
- };
- };
+ }
+ ];
webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec {
__noChroot = true;
patches = [ ./libreoffice_patch.diff ];
install -t $out/src/ -vDm 644 src/.ep_initialized
cp -a node_modules $out/
cp -a src/* $out/src/
- ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt
- ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt
+ ln -sf /var/secrets/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt
+ ln -sf /var/secrets/webapps/tools-etherpad-apikey $out/APIKEY.txt
cp ${jquery} $out/src/static/js/jquery.js
mkdir $out/doc
};
config = lib.mkIf cfg.enable {
- deployment.keys = mastodon.keys;
+ mySecrets.keys = mastodon.keys;
ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;
ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;
serviceConfig = {
User = "mastodon";
- EnvironmentFile = "/run/keys/webapps/tools-mastodon";
+ EnvironmentFile = "/var/secrets/webapps/tools-mastodon";
PrivateTmp = true;
Restart = "always";
TimeoutSec = 15;
serviceConfig = {
User = "mastodon";
- EnvironmentFile = "/run/keys/webapps/tools-mastodon";
+ EnvironmentFile = "/var/secrets/webapps/tools-mastodon";
PrivateTmp = true;
Restart = "always";
TimeoutSec = 60;
serviceConfig = {
User = "mastodon";
- EnvironmentFile = "/run/keys/webapps/tools-mastodon";
+ EnvironmentFile = "/var/secrets/webapps/tools-mastodon";
PrivateTmp = true;
Restart = "always";
TimeoutSec = 15;
'';
buildInputs = [ yarnModules ];
});
- keys.tools-mastodon = {
- destDir = "/run/keys/webapps";
+ keys.mastodon = {
+ dest = "webapps/tools-mastodon";
user = "mastodon";
group = "mastodon";
permissions = "0400";
builder = writeText "build_mastodon_immae" ''
source $stdenv/setup
set -a
- ${keys.tools-mastodon.text}
+ ${keys.mastodon.text}
set +a
cp -a $mastodon $out
cd $out
};
in
{
- inherit railsRoot keys varDir socketsDir gems;
+ inherit railsRoot varDir socketsDir gems;
+ keys = builtins.attrValues keys;
nodeSocket = "${socketsDir}/live_immae_node.sock";
railsSocket = "${socketsDir}/live_immae_puma.sock";
}
};
config = lib.mkIf cfg.enable {
- deployment.keys = mediagoblin.keys;
+ mySecrets.keys = mediagoblin.keys;
ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
systemd.services.mediagoblin-web = {
description = "Mediagoblin service";
wantedBy = [ "multi-user.target" ];
- after = [ "network.target" "tools-mediagoblin-key.service" ];
- wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ];
+ after = [ "network.target" ];
+ wants = [ "postgresql.service" "redis.service" ];
environment.SCRIPT_NAME = "/mediagoblin/";
url_scheme = https
'';
- keys.tools-mediagoblin = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-mediagoblin";
user = "mediagoblin";
group = "mediagoblin";
permissions = "0400";
[[mediagoblin.media_types.image]]
[[mediagoblin.media_types.video]]
'';
- };
+ }];
pythonRoot =
with pkgs.gst_all_1;
stdenv.mkDerivation {
--prefix GI_TYPELIB_PATH : ${typelib_paths}
find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \;
ln -s ${paste_local} ./paste_local.ini
- ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini
+ ln -s /var/secrets/webapps/tools-mediagoblin ./mediagoblin_local.ini
ln -sf ${varDir} ./user_dev
'';
};
systemd.services.peertube = {
description = "Peertube";
wantedBy = [ "multi-user.target" ];
- after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ];
- wants = [ "postgresql.service" "tools-peertube-key.service" ];
+ after = [ "network.target" "postgresql.service" ];
+ wants = [ "postgresql.service" ];
environment.NODE_CONFIG_DIR = "${peertube.varDir}/config";
environment.NODE_ENV = "production";
unitConfig.RequiresMountsFor = peertube.varDir;
};
- deployment.keys.tools-peertube = {
- destDir = "/run/keys/webapps";
+ mySecrets.keys = [{
+ dest = "webapps/tools-peertube";
user = "peertube";
group = "peertube";
permissions = "0640";
text = peertube.config;
- };
+ }];
system.activationScripts.peertube = {
deps = [ "users" ];
text = ''
install -m 0750 -o peertube -g peertube -d ${peertube.varDir}
install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config
- ln -sf /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml
+ ln -sf /var/secrets/webapps/tools-peertube ${peertube.varDir}/config/production.yaml
'';
};