Move mastodon secret to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix
index ebea48f4a72d59817fe728b34723b6bb2fff4ba1..048d845c8906b200ae33c1e7d44b6c161bd2509f 100644 (file)
--- a/nixops/modules/websites/tools/mastodon/default.nix
+++ b/nixops/modules/websites/tools/mastodon/default.nix
@@ -13,6 +13,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    deployment.keys = mastodon.keys;
     ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;
     ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;
 
@@ -54,7 +55,7 @@ in {
 
       serviceConfig = {
         User = "mastodon";
-        EnvironmentFile = mastodon.config;
+        EnvironmentFile = "/run/keys/webapps/tools-mastodon";
         PrivateTmp = true;
         Restart = "always";
         TimeoutSec = 15;
@@ -87,7 +88,7 @@ in {
 
       serviceConfig = {
         User = "mastodon";
-        EnvironmentFile = mastodon.config;
+        EnvironmentFile = "/run/keys/webapps/tools-mastodon";
         PrivateTmp = true;
         Restart = "always";
         TimeoutSec = 60;
@@ -116,7 +117,7 @@ in {
 
       serviceConfig = {
         User = "mastodon";
-        EnvironmentFile = mastodon.config;
+        EnvironmentFile = "/run/keys/webapps/tools-mastodon";
         PrivateTmp = true;
         Restart = "always";
         TimeoutSec = 15;

diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix
index 90e537f011e4931c6b7360f9d4fd331ab4af1ff5..944b2dbaa9599b0d0cec0f6f09c8ef821e41d4f5 100644 (file)
--- a/nixops/modules/websites/tools/mastodon/mastodon.nix
+++ b/nixops/modules/websites/tools/mastodon/mastodon.nix
@@ -58,55 +58,62 @@ let
     '';
     buildInputs = [ yarnModules ];
   });
-  config = writeText "mastodon_environment" ''
-    REDIS_HOST=${env.redis.host}
-    REDIS_PORT=${env.redis.port}
-    REDIS_DB=${env.redis.db}
-    DB_HOST=${env.postgresql.socket}
-    DB_USER=${env.postgresql.user}
-    DB_NAME=${env.postgresql.database}
-    DB_PASS=${env.postgresql.password}
-    DB_PORT=${env.postgresql.port}
+  keys.tools-mastodon = {
+    destDir = "/run/keys/webapps";
+    user = "mastodon";
+    group = "mastodon";
+    permissions = "0400";
+    text = ''
+      REDIS_HOST=${env.redis.host}
+      REDIS_PORT=${env.redis.port}
+      REDIS_DB=${env.redis.db}
+      DB_HOST=${env.postgresql.socket}
+      DB_USER=${env.postgresql.user}
+      DB_NAME=${env.postgresql.database}
+      DB_PASS=${env.postgresql.password}
+      DB_PORT=${env.postgresql.port}
 
-    LOCAL_DOMAIN=mastodon.immae.eu
-    LOCAL_HTTPS=true
-    ALTERNATE_DOMAINS=immae.eu
+      LOCAL_DOMAIN=mastodon.immae.eu
+      LOCAL_HTTPS=true
+      ALTERNATE_DOMAINS=immae.eu
 
-    PAPERCLIP_SECRET=${env.paperclip_secret}
-    SECRET_KEY_BASE=${env.secret_key_base}
-    OTP_SECRET=${env.otp_secret}
+      PAPERCLIP_SECRET=${env.paperclip_secret}
+      SECRET_KEY_BASE=${env.secret_key_base}
+      OTP_SECRET=${env.otp_secret}
 
-    VAPID_PRIVATE_KEY=${env.vapid.private}
-    VAPID_PUBLIC_KEY=${env.vapid.public}
+      VAPID_PRIVATE_KEY=${env.vapid.private}
+      VAPID_PUBLIC_KEY=${env.vapid.public}
 
-    SMTP_DELIVERY_METHOD=sendmail
-    SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
-    SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
-    PAPERCLIP_ROOT_PATH=${varDir}
+      SMTP_DELIVERY_METHOD=sendmail
+      SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
+      SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
+      PAPERCLIP_ROOT_PATH=${varDir}
 
-    STREAMING_CLUSTER_NUM=1
+      STREAMING_CLUSTER_NUM=1
 
-    RAILS_LOG_LEVEL=warn
+      RAILS_LOG_LEVEL=warn
 
-    # LDAP authentication (optional)
-    LDAP_ENABLED=true
-    LDAP_HOST=ldap.immae.eu
-    LDAP_PORT=636
-    LDAP_METHOD=simple_tls
-    LDAP_BASE="dc=immae,dc=eu"
-    LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
-    LDAP_PASSWORD="${env.ldap.password}"
-    LDAP_UID="uid"
-    LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+      # LDAP authentication (optional)
+      LDAP_ENABLED=true
+      LDAP_HOST=ldap.immae.eu
+      LDAP_PORT=636
+      LDAP_METHOD=simple_tls
+      LDAP_BASE="dc=immae,dc=eu"
+      LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+      LDAP_PASSWORD="${env.ldap.password}"
+      LDAP_UID="uid"
+      LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
     '';
+  };
 
+    # FIXME: build machine will contain some passwords in the nix store
     railsRoot = stdenv.mkDerivation {
       name = "mastodon_immae";
-      inherit config mastodon;
+      inherit mastodon;
       builder = writeText "build_mastodon_immae" ''
         source $stdenv/setup
         set -a
-        source $config
+        ${keys.tools-mastodon.text}
         set +a
         cp -a $mastodon $out
         cd $out
@@ -121,7 +128,7 @@ let
     };
 in
   {
-    inherit railsRoot config varDir socketsDir gems;
+    inherit railsRoot keys varDir socketsDir gems;
     nodeSocket = "${socketsDir}/live_immae_node.sock";
     railsSocket = "${socketsDir}/live_immae_puma.sock";
   }